Aguardic logoAguardic
Start Free Trial
SB 26-189 · Takes Effect January 1, 2027 (replaces SB 24-205)

Colorado AI Act Was Rewritten. Will Your Consumer Notices Be Ready?

SB 26-189 (May 2026) repealed and replaced SB 24-205 before it took effect. The new framework drops the risk management program, annual impact assessment, and NIST AI RMF rebuttable presumption. In their place: a narrower regime of consumer notices, meaningful human review of adverse decisions, and data access rights — effective January 1, 2027, enforced through CUPA with a 60-day cure period. Aguardic ships the notice and human-review infrastructure as policy-as-code, with the audit trail SB 26-189 enforcement will require.

Start Free TrialTake the Free Audit

14-day free trial · No credit card · Free Colorado AI Act policy pack

Colorado SB 24-205 was repealed and replaced by SB 26-189 on May 9, 2026.

The new framework takes effect January 1, 2027, drops the risk-management programs, annual impact assessments, and NIST AI RMF rebuttable presumption that defined the original law, and replaces them with a narrower consumer notice + appeal regime. Enforcement runs through CUPA with 60-day notice and opportunity to cure; the Colorado AG must still complete rulemaking.

This audit and its citations are aligned to SB 26-189 as of May 14, 2026.

Enforcement Timeline

From SB 24-205 to SB 26-189 — and What's Coming January 1, 2027

May 12, 2026Signed Into Law

SB 26-189 Repeals and Replaces SB 24-205

The Colorado legislature passed SB 26-189 on May 9, 2026, and Governor Polis publicly committed to signing on May 12, 2026. The bill repeals the entire 2024 framework — including the risk management program, annual impact assessment, AG discrimination-notification duty, public-website disclosure, and NIST AI RMF rebuttable presumption — before SB 24-205 ever took effect.

2026 (Ongoing)AG Rulemaking

Attorney General Rulemaking Period

The Colorado AG must complete rulemaking before SB 26-189 enforcement begins. Rulemaking will clarify ADMT (Automated Decision-Making Technology) scope, what counts as a consequential decision under the new framework, and what evidence the AG expects for the new consumer notice and human review duties.

January 1, 2027Takes Effect

Consumer Notice + Meaningful Human Review

Deployers must give Colorado consumers a plain-language notice that ADMT is being used before a consequential decision is made. When an ADMT contributes to an adverse outcome, the deployer must notify the affected consumer within 30 days with information about review rights. Consumers can request a meaningful human review with override authority and access to the underlying data.

Penalty: Routed through CUPA — Colorado AG has exclusive enforcement, no private right of action, 60 days' notice and opportunity to cure before any action. Penalties are discretionary; no statutory per-violation dollar figure.

January 1, 2027Takes Effect

Developer Documentation + 3-Year Records

Developers of ADMT must give deployers a documentation package: intended uses, prohibited uses, known limitations, training data categories, and operational instructions. Both developers and deployers must retain records the statute reaches for at least three years in producible storage. SB 26-189 also pulls in CPA § 6-1-1306 data access and correction rights for consumers.

Does This Apply to You?

The Colorado AI Act Applies if You Make or Enable Consequential Decisions About Colorado Consumers

You're a Developer if you:

  • Build or substantially modify Automated Decision-Making Technology (ADMT) that influences consequential decisions
  • Sell, license, or provide ADMT to deployers operating in Colorado
  • Offer foundation models or AI APIs used by downstream deployers for consequential decisions
  • Integrate third-party AI into a product deployed in Colorado with material modifications (developer documentation obligations apply under Sec. 6-1-1702)

You're a Deployer if you:

  • Use ADMT to make or substantially influence consequential decisions about Colorado consumers
  • Deploy ADMT in hiring, credit, housing, healthcare, education, insurance, legal services, or essential government services
  • Integrate third-party AI into workflows affecting Colorado residents
  • Owe Colorado consumers pre-use notice, post-adverse-outcome notice within 30 days, and meaningful human review under Sec. 6-1-1703

Consequential decisions cover:

Education enrollment or opportunityEmployment or employment opportunityFinancial or lending servicesEssential government servicesHealth care servicesHousingInsuranceLegal services

The jurisdictional test isn't where your company is based — it's whether the ADMT is deployed in connection with consequential decisions about Colorado residents. SB 26-189 retains a conditional carve-out for deployers with fewer than 50 full-time employees, but the carve-out is not automatic — specific conditions must be met.

Enforcement Posture

SB 26-189 Penalties Are Discretionary — Cure Beats Quotes

Discretionary

Penalties under SB 26-189 are discretionary. The statute does not specify a fixed per-violation dollar amount; CUPA penalties are sized to the conduct.

Effective January 1, 2027

60-Day Cure

Before bringing an enforcement action, the Colorado AG must give 60 days' written notice and an opportunity to cure. Organizations that respond with credible remediation typically avoid penalties entirely.

Required by SB 26-189

AG-Exclusive

The Colorado Attorney General has exclusive enforcement authority. There is no private right of action under SB 26-189. CUPA-style remedies (injunctions, restitution, civil penalties) flow through the AG.

Routed through CUPA

SB 26-189 deliberately dropped the SB 24-205 framing of $20,000 per violation per consumer. The new framework rewards organizations that can document a credible response to a 60-day cure notice — which is exactly what a continuous policy-as-code audit trail produces.

Requirements Coverage

Colorado AI Act Coverage Matrix

No single tool covers every SB 26-189 obligation. This is the full statute-to-control reference for the post-rewrite framework — what Aguardic enforces, the evidence it produces, and the judgment work your counsel and operators still own.

3Covered
3Partial
0Not Covered
Total: 6
Partial·

Sec. 6-1-1702

Developer Documentation to Deployers

Developers of Automated Decision-Making Technology (ADMT) must provide deployers a documentation package: intended uses, prohibited uses, known limitations, training data categories, and operational instructions.

How Aguardic helps

AI System Registry captures intended purpose, deployment context, and risk classification, and exposes a versioned distribution channel to downstream deployers. The training data categories and the limitations narrative still require manual enrichment from your ML team.

Evidence produced

AI System Registry exports · versioned policy and config records · downstream-deployer distribution log

What you handle

Author the training data categories and known-limitations narrative. Maintain developer-deployer documentation contracts.

Covered·

Sec. 6-1-1703

Pre-Use Consumer Notice (Plain-Language)

Deployers must give Colorado consumers a clear, plain-language notice that ADMT is being used before a consequential decision is made — not after.

How Aguardic helps

Pre-built Consumer Notice policy fires at every consequential-decision endpoint and blocks actions that ship without the required disclosure. Versioned policies + continuous evaluation produce the timestamped record SB 26-189 enforcement will look for.

Evidence produced

Consumer notice policy evaluation logs · decision-point audit trail · blocked-action records · versioned disclosure copy

What you handle

Approve the disclosure copy with counsel. Confirm the notice renders at every consequential-decision touchpoint (web, mobile, partner-facing).

Covered·

Sec. 6-1-1703

Post-Adverse-Outcome Notice (Within 30 Days)

When an ADMT contributes to an adverse outcome (denial, termination, increased cost) for a Colorado consumer, the deployer must notify the affected consumer within 30 days with a plain-language explanation and information about review rights.

How Aguardic helps

Adverse-outcome events flow into a templated 30-day notification workflow. Aguardic logs trigger time, notice send time, and the review-rights surface consumers saw — producing the timestamped evidence SB 26-189 enforcement requires.

Evidence produced

Adverse-outcome event log · notification send timestamps · review-rights disclosure record · 30-day SLA tracking

What you handle

Approve the notice template with counsel. Maintain the support / legal escalation path for consumers who respond to the notice.

Partial·

Sec. 6-1-1703

Meaningful Human Review of Adverse Decisions

Consumers must be able to request a meaningful human review of an adverse ADMT decision. The reviewer must have authority to override the decision and access to the underlying data.

How Aguardic helps

Aguardic flags adverse decisions that ship without a review pathway, routes review requests into an escalation queue, and logs reviewer identity + override outcome. The end-to-end review workflow (queue staffing, decision authority, customer comms) still lives in your product or your compliance team's hands.

Evidence produced

Adverse-decision violation logs · escalation records · reviewer override decision log · request-to-resolution SLA tracking

What you handle

Staff the human review queue with reviewers who have documented override authority. Build the consumer-facing review-request UI and the appeal decision log.

Partial·

§ 6-1-1306 (pulled in by SB 26-189)

Consumer Data Access + Correction Rights

SB 26-189 pulls in the Colorado Privacy Act's data access and correction rights so Colorado consumers can see and fix the inputs feeding adverse ADMT decisions about them.

How Aguardic helps

Aguardic surfaces the data inputs that influenced a flagged adverse decision and exposes a structured data-subject-request intake. The end-to-end fulfillment workflow (45-day SLA tracking, identity verification, downstream propagation of corrections) still requires product-side wiring.

Evidence produced

Decision-input audit trail · data-subject-request intake log · correction-propagation records

What you handle

Build or procure the data-subject-request fulfillment workflow. Wire corrections back into the ADMT's feature pipeline so the next decision uses the updated data.

Covered·

Sec. 6-1-1702 / 6-1-1703

3-Year Compliance Records

Both developers and deployers must retain the records the statute reaches — notices, post-adverse notifications, human-review outcomes, deployer documentation distribution — for at least three years in producible storage.

How Aguardic helps

Append-only policy evaluation logs and audit-trail exports preserve every notice, review decision, and documentation distribution event for the full 3-year retention window. Records are producible on demand for AG inquiries.

Evidence produced

Append-only evaluation logs · 3-year retention configuration · on-demand audit export bundles

What you handle

Ratify the retention configuration with your records officer. Confirm storage budget covers the 3-year tail.

Browse the Colorado AI Act Policy Pack

Coverage mappings reflect Aguardic's current product capabilities mapped to Colorado AI Act (SB 26-189, the May 2026 rewrite that repealed SB 24-205) requirements for Automated Decision-Making Technology used in consequential decisions. Validate with qualified legal counsel for your specific use case. SB 26-189 dropped the NIST AI RMF rebuttable-presumption safe harbor that existed under SB 24-205.

Colorado vendor assessment?

Answer with SB 24-205 controls Aguardic enforces

Upload it. We draft answers citing Sec. 6-1-1703 + NIST AI RMF function mappings — describing the controls that support the Sec. 6-1-1706 rebuttable-presumption defense. Aguardic produces the underlying audit evidence on an ongoing basis.

Upload questionnaire

Explore Other Frameworks

HIPAAHealthcareEU AI ActEU RegulationSOC 2Trust ServicesISO 42001AI ManagementNIST AI RMFUS FederalAIUC-1AI Agent Security

View all compliance frameworks

Build a Colorado AI Act audit trail before SB 26-189 takes effect.

SB 26-189 replaces SB 24-205 with a narrower consumer notice + human review regime, effective January 1, 2027. Install the Colorado AI Act policy pack, connect your AI systems, and generate the audit evidence the AG's rulemaking will require.

14-day free trial
No credit card required
Colorado AI Act policy pack included
Start Free Trial

Or explore the documentation

This page summarizes key provisions of the Colorado Artificial Intelligence Act (SB 26-189, the May 2026 rewrite that repealed and replaced SB 24-205) for informational purposes only. Aguardic is not a law firm and this is not legal advice. Consult qualified legal counsel to assess your specific compliance obligations. Coverage mappings reflect Aguardic's current product capabilities as of May 2026 and are subject to change as the statute evolves through Attorney General rulemaking.

Colorado AI Act Compliance — Automate SB 26-189 Readiness | Aguardic - Aguardic