Colorado’s AI Act Is Dead. Long Live Colorado’s AI Act.

Colorado AI Act 2026: Elon Musk Sued, Congress Rewrote It, and January 2027 Is the New Deadline

It was supposed to be the most consequential AI regulation in the United States. Two years of political battles, two deadline delays, a federal court injunction, a lawsuit from Elon Musk, and an intervention by the Department of Justice later , Colorado’s landmark AI Act has been repealed, replaced and is now scheduled to take effect January 1, 2027.

If you blinked, you missed most of it. But if you’re advising clients who use AI to make decisions affecting employees, customers, or borrowers, you cannot afford to blink again.

How We Got Here

Colorado enacted the original AI Act, Senate Bill 24-205, in May 2024. It was the first comprehensive state AI law in the country, covering any business that deployed “high-risk AI systems” in consequential decisions affecting employment, housing, healthcare, insurance, education, and financial services.

The obligations were significant such as mandatory risk management programs, annual impact assessments, disclosures to consumers, and a duty to take reasonable care to prevent algorithmic discrimination.

Violations involved enforcement by the state Attorney General.

The reaction, to say the least, was strong – and growing.

Industry hated it. Several Democrats, including Governor Polis (pictured) himself, issued reservations. The opposition lead to a delay in the implementation date which was pushed from February 1, 2026, to June 30, 2026, to allow the legislature another shot at revision. That second shot missed too, triggering a special session in August 2025, which also failed.

Then, in April 2026, things escalated fast.

Elon Musk, the DOJ, and a Federal Court

On April 9, 2026, xAI, Elon Musk’s AI company, developers of the Grok chatbot, filed suit in the US District Court for the District of Colorado seeking to block SB 24-205 on constitutional grounds.

The complaint argued the law was unconstitutionally vague, violated the First Amendment through compelled speech, offended the Dormant Commerce Clause by regulating out-of-state actors, and denied equal protection through what xAI characterised as ideologically motivated carve-outs.

On April 24, the Department of Justice intervened on xAI’s side, the first time the federal government had sought to invalidate a state AI law.

The DOJ focused on the equal protection argument, contending the law’s diversity-oriented provisions constituted impermissible characteristic-based classifications.

Three days later, a federal magistrate judge granted a joint motion to stay enforcement of the original law pending resolution of xAI’s forthcoming preliminary injunction motion. In practical terms, SB 24-205 was frozen.

The Colorado legislature, by now working against the clock and the courts simultaneously, accelerated its replacement bill. Senate Bill 26-189 passed the House 57-6 and the Senate 34-1. Governor Polis signed it on May 14, 2026.

The original Colorado AI Act no longer exists.

What SB 26-189 Does

The new law is materially narrower than what it replaced but narrower does not mean toothless, and it casts a wider net than many compliance teams have appreciated.

While SB 24-205 regulated “high-risk AI systems,” SB 26-189 regulates “automated decision-making technology” (ADMT) which is defined as technology that processes personal data to “materially influence” a “consequential decision.”

Consequential decisions include access to employment, housing, financial services, insurance, healthcare, and education.

What has been removed:

• Mandatory risk management programs (aligned to NIST AI RMF or ISO 42001)
• Annual impact assessments within 90 days of deployment
• The duty to self-report algorithmic discrimination harms to the Attorney General
• The freestanding duty of reasonable care to protect consumers from algorithmic discrimination

What Three Concrete Obligations Replace them:

1. Consumer notice. Deployers must notify consumers when covered ADMT is used to make or materially influence a consequential decision affecting them. The notice must be clear and understandable.

2. Post-adverse-outcome disclosure. If a covered ADMT contributes to an adverse decision, the affected consumer must receive a plain-language explanation of the system’s role within 30 days.

3. Record retention. Deployers must retain compliance documentation for a minimum of three years at the decision level.

There is also a right to human review, which permits consumers to request that a human review a consequential decision influenced by ADMT, and deployers must have a documented operational process, which is not merely a technical capability, for receiving and responding to those requests.

For developers of covered ADMT, a separate set of documentation obligations applies from January 1, 2027.

They must supply deployers with technical documentation covering the system’s intended uses, known limitations, training data categories (to the extent known), and instructions for appropriate use and monitoring, which does not require disclosure of proprietary source code, model weights, or trade secrets.

The Scope Surprise

One of the less-remarked aspects of SB 26-189 is that, despite being lighter in obligations, it arguably pulls more entities into scope than its predecessor, covering more rather than fewer organisations.

The original law contained conditional exemptions for some federally regulated entities. SB 26-189 has eliminated several of those exemptions, bringing additional businesses, particularly in financial services and healthcare, inside the framework. HIPAA-covered entities, for example, are generally exempt under the new law unless they use covered ADMT in employment-related decisions or financial assistance eligibility determinations.

The employer-specific exemption for small businesses applies to organisations with 40 or fewer employees, down from 50 under the original law, though the exemption is conditional and compliance teams should verify the threshold against the enrolled bill text.

The Enforcement Picture: Clear as Mud

The political irony here is substantial. The Colorado Attorney General has stated he does not intend to enforce SB 24-205 or any successor legislation, including SB 26-189, until after the rulemaking process is complete.

The AG must adopt implementing rules — clarifying key terms including the definition of “materially influence,” and setting out consumer rights procedures — by January 1, 2027.

Separately, the xAI litigation (xAI LLC v. Weiser) remains technically active. The enforcement stay applies to SB 26-189 as well as the original law, extending until 14 days after the court rules on xAI’s preliminary injunction motion. That motion will be filed within 28 days of the state finalising rulemaking. So enforcement is contingent on rulemaking, which is contingent on AG action, which is currently subject to a court stay.

The practical compliance posture, as multiple law firms have noted, is to build to the statute’s text while tracking rulemaking closely. The January 2027 date is the operative target. Assume it holds.

The federal preemption question also remains unresolved. The Trump Administration has actively pursued preemption of state AI laws, and Colorado’s tortured path through repeal-and-replace happened partly in that political context. Whether SB 26-189 survives a federal preemption challenge is genuinely open.

Three Additional Colorado AI Bills Pending

SB 26-189 is not the only Colorado AI legislation in play. Three additional bills passed the legislature before the May 13 adjournment and were awaiting Governor Polis’s signature: HB 1263 (chatbot safety), HB 1139 (AI in health insurance coverage decisions), and HB 1195 (AI use by licensed mental health professionals). All carry some veto risk given Polis’s track record of scepticism toward stricter tech regulation.

For law firms advising clients in healthcare, insurance, or any sector using AI-powered customer interaction tools, these bills are worth tracking in parallel with the SB 26-189 compliance timeline.

What Law Firms and Their Clients Should Do Now

The compliance clock is real regardless of enforcement uncertainty. Seven months to January 2027 is a comfortable runway only if preparatory work begins now.

What are some key, practical steps that should be taken now.

Inventory. Map every AI or algorithmic tool your organisation — or your client’s organisation — uses that could materially influence a consequential decision affecting a Colorado resident. This includes HR platforms with AI-assisted screening or performance scoring, underwriting tools, loan decisioning systems, and any AI in patient intake or care pathway routing.

Identify developer vs. deployer status. The obligations differ. If your organisation builds and sells covered ADMT, documentation obligations run to your customers. If you deploy a vendor’s ADMT, you carry the notification and retention obligations and you will need to revisit vendor contracts to ensure you can access the technical documentation SB 26-189 requires developers to supply.

Build the disclosure and retention infrastructure. A 30-day adverse-outcome disclosure window is operationally tight. Consumer notice processes and 3-year document retention systems need to be designed and tested before January 1, 2027, not after.

Design the human review pathway. Documented, operational, and routable. Not a policy paragraph — an actual workflow with named accountable roles.

Monitor rulemaking. The AG’s implementing rules will define “materially influence” and set the practical scope of notice and correction rights. These rules may substantially affect the cost and complexity of compliance. Staying current with rulemaking is not optional.

The Double Exposure for Law Firms

Law firms occupy an interesting position at present because they are simultaneously advisers to clients navigating ADMT compliance, and potential deployers themselves.

Firms using AI tools in hiring, performance review, associate evaluation, or lateral screening are deployers of ADMT if those tools materially influence employment decisions. The same compliance obligations that apply to corporate clients apply to the law firm using a résumé-screening algorithm or an associate performance-tracking tool.

The fact that most law firms have not yet confronted this dual exposure is, itself, a story that will not stay quiet for long.

The Broader Picture

Colorado’s convulsive experience with AI regulation illustrates, in a graphic and somewhat compressed form, the difficulty every jurisdiction faces when trying to govern technology that moves faster than legislative cycles.

The original law was ambitious, arguably over-engineered, and almost certainly unenforceable on its original timeline. The replacement is leaner, more targeted, and more likely to survive but it lands in a legal environment where federal preemption remains a live threat and the xAI litigation has not been resolved.

What is clear is that AI governance, the question of who is responsible when an automated system makes a consequential decision that harms someone, has moved from theoretical to operational. Colorado may have blinked on the details, but it has not blinked on the underlying principle.

LawFuel covers legal AI regulation, law firm compliance obligations, and developments in the AI governance landscape.

2026 COLORADO AI ACT: QUICK REFERENCE TABLE