Colorado Governor Signs SB 189, Significantly Amending the State's AI Law

Colorado Gov. Jared Polis signed Senate Bill 26-189 (SB 189) on May 14, 2026, substantially revising the state's landmark Colorado Artificial Intelligence Act (SB 205) – the first U.S. law imposing broad obligations on developers and deployers of "high-risk" artificial intelligence (AI) systems. SB 189 repeals and reenacts SB 205 with meaningful changes to scope, definitions, obligations and enforcement. The revised law takes effect January 1, 2027.

Background: Federal Opposition and AI Lawsuit

SB 189 follows months of legal and political pressure against Colorado's original AI law. President Donald Trump's December 2025 executive order on "Ensuring a National Policy Framework for Artificial Intelligence" targeted SB 205 as "excessive State regulation" and directed federal agencies to challenge state AI laws deemed inconsistent with federal deregulatory policy. A large AI developer filed a federal lawsuit challenging SB 205's constitutionality in April 2026, and the U.S. Department of Justice intervened to support the challenge.

Key Obligations for Businesses

SB 189 shifts from regulating "high-risk artificial intelligence systems" to "automated decision-making technology" (ADMT). The new law covers technology used to materially influence consequential decisions – those relating to access to or provision of education, employment, property leases or purchases, financial services, insurance, healthcare or essential government services (Covered ADMT).

This definitional change broadens the covered technologies. SB 205 defined "artificial intelligence systems" as those that infer from inputs and generate outputs (content, decisions, predictions or recommendations). ADMT requires no inference; a system that merely checks whether an answer falls within an acceptable range would qualify. Though some attempts are made to exclude technologies such as spreadsheets, the exclusions are narrow. Cybersecurity and fraud prevention activities are, however, clearly exempted from consequential decisions.

SB 189 imposes distinct obligations on developers (companies that create, sell, license or substantially modify Covered ADMTs) and deployers (businesses that use them).

If a developer markets an ADMT for use in a consequential decision, the developer must:

• provide deployers with documentation of the Covered ADMT that includes:
  • a description of intended uses and known harmful uses
  • categories of training data used (to the extent known)
  • known limitations and risks
  • instructions for appropriate use and human review
  • information necessary for deployers to comply with their disclosure obligations
• notify deployers of material updates within a reasonable time and retain records for at least three years; these obligations apply only where the ADMT was marketed or contracted for consequential-decision use – not off-label uses

Deployers must:

• provide consumers clear notice before using Covered ADMT to materially influence a consequential decision; this may be satisfied through a prominent public notice accessible via a link
• provide notice after using a Covered ADMT to materially influence an adverse outcome that includes:
  • a plain-language description of the decision and the ADMT's role
  • instructions and a simple process to request additional information
• provide information about the ADMT and data inputs used and an explanation of consumer rights and how to exercise them
• retain records for at least three years after a consequential decision

When a Covered ADMT materially influences a decision resulting in an adverse outcome, consumers may:

• access and correct factually incorrect or materially inaccurate personal data
• request meaningful human review and reconsideration (to the extent commercially reasonable); "meaningful human review" requires a reviewer with authority to approve, modify or override the decision who considers primary evidence, is trained for the review, does not default to the system output and has access to information about the system's inputs, limitations and principal factors

What Changed: Key Differences from SB 205

• New Terminology and Scope: SB 189 replaces "high-risk AI system" with "Automated Decision-Making Technology" and introduces a "materially influence" standard – more precise than SB 205's "significant factor" test. Covered domains remain unchanged: employment, education, lending, financial services, insurance, healthcare and essential government services.
• Eliminated Requirements: SB 189 removes three of SB 205's most burdensome compliance obligations:
  • The duty to use "reasonable care" to prevent algorithmic discrimination is eliminated entirely.
  • Mandatory risk management programs for deployers are no longer required.
  • Annual impact assessments are eliminated.
• Sector-Specific Accommodations: SB 189 adds tailored carve-outs absent or less developed in SB 205:
• Health Insurance Portability and Accountability Act (HIPAA)-covered entities are broadly exempt from core obligations for non-employment uses.
  • Insurers subject to existing Colorado algorithmic discrimination rules (Section 10-3-1104.9) are deemed compliant.
  • Creditors complying with Equal Credit Opportunity Act/Fair Credit Reporting Act notice requirements need not provide duplicative disclosures.
  • U.S. Food and Drug Administration-regulated medical devices and related R&D activities are excluded entirely.
• New Liability Framework: SB 189 introduces an explicit liability and indemnification framework absent from SB 205. Developers and deployers may be liable for state antidiscrimination law violations arising from ADMT-influenced decisions, with fault allocated based on relative responsibility. Joint and several liability is not created. Developers are shielded from liability for off-label deployer uses. Critically, contract provisions purporting to indemnify a party for its own discriminatory acts are void.

Enforcement

Like SB 205, SB 189 vests enforcement authority exclusively in the Colorado Attorney General (AG), with no private right of action. Violations constitute deceptive trade practices under the Colorado Consumer Protection Act. Before enforcement, the AG must issue a notice of violation and allow 60 days to cure, unless the violation was done knowingly or repeated. The right to cure sunsets on January 1, 2030.

The AG must adopt rules clarifying post-adverse-outcome disclosure requirements and consumer rights by January 1, 2027, and has broader discretionary rulemaking authority – including to clarify the meaning of "materially influence" through presumptions and illustrative examples.

For additional information, please contact the authors.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.