When Colorado enacted the first comprehensive state AI law in 2024, it imported the conceptual architecture of the EU AI Act: a risk-based regime built on duties of care, risk management programs, and impact assessments. Two years later, and within a matter of weeks, the state has dismantled that legislation. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals SB 24-205 and replaces it with a disclosure-and-rights framework focused on automated decision-making technology (“ADMT”). The new framework takes effect January 1, 2027.

The substance of the rewrite has been well-covered already. Less examined is how Colorado got here, and what the speed and direction of the pivot signal for the rest of the state AI regulatory landscape. The new bill was introduced and signed within two weeks of its introduction. The Governor’s AI Policy Working Group did the heavy lift in advance: roughly six months of stakeholder consultation produced the draft framework released on March 17, 2026. But the final two-week sprint reflects pressure to land the rewrite before the original AI Act’s June 30, 2026 effective date and amid escalating federal headwinds.

The Federal Backdrop

On December 11, 2025, the White House issued an executive order (“EO”) titled, “Ensuring a National Policy Framework for Artificial Intelligence.” The EO directs federal agencies to challenge conflicting state AI laws through litigation and coordinated federal action, and urges development of a preemptive national framework. It specifically named Colorado’s AI Act as an example of a state law that, in the administration’s view, would compel AI systems to “produce false results in order to avoid a ‘differential treatment or impact’ on protected groups.”

The EO also created an AI Litigation Task Force with responsibility for challenging state AI laws in federal court on Commerce Clause, preemption, and other constitutional grounds. The Task Force was formally established by AG memorandum on January 9, 2026, and its first visible action was the DOJ’s intervention in the xAI litigation against Colorado’s original AI Act, the same statute SB 26-189 now replaces. Subsequent White House and agency actions in early 2026 have continued to develop the federal policy posture, including legislative recommendations urging Congress to adopt a unified, preemption-oriented framework.

The federal government’s involvement in the resulting litigation followed the executive order. xAI’s challenge to the original AI Act argued that the law unconstitutionally compelled AI developers to embed the state’s preferred viewpoints into their products; the U.S. Department of Justice, acting through the AI Litigation Task Force the EO had directed it to create, intervened in support. On April 27, 2026, a federal magistrate judge stayed enforcement of the Colorado AI Act after the Attorney General stipulated to the stay, citing the pending legislative rewrite.

The Colorado amendment effort predates the December EO. Governor Polis publicly invited legislative revisions when he signed SB 24-205 in 2024, and the special session of August 2025 extended the effective date for the same reason. Business pressure and the Governor’s Working Group were the primary drivers of substantive change. But the federal posture and the xAI injunction unmistakably influenced the speed of the final sprint and reinforced the political case for narrowing the statute. The substantive provisions most directly criticized by the EO: the duty to ban algorithmic discrimination; the impact assessment mandate; and the deployer risk management program, all notably align with the provisions SB 26-189 removes.

From Risk Regulation to ADMT Disclosure

The conceptual shift is the more interesting story for practitioners. The original bill seemingly borrowed its framework from the EU AI Act: a tiered, risk-based regulation of “high-risk AI systems” with affirmative duties to avoid algorithmic discrimination, mandatory impact assessments, governance program requirements, and a safe harbor for entities aligned with industry standard risk management frameworks.

That is the case no longer. The new statute governs “covered ADMT” – automated decision-making technology used to “materially influence” a consequential decision. Material influence requires the ADMT output to be a non-insignificant factor that affects the outcome of the decision through ranking, scoring, constraining options, or otherwise meaningfully altering how the decision is made. The statute also expressly excludes “low-stakes or routine” business activities (advertising, content moderation, cybersecurity, fraud prevention, and AML/sanctions compliance) from the definition of consequential decision, and excludes common technologies like calculators, databases, spreadsheets, and tools used solely to summarize or present information for human review from the definition of ADMT itself.

What replaces the risk-management regime is a disclosure-and-rights framework that should look familiar to anyone who has worked with CCPA’s automated decision-making technology regulations:

• Developer documentation obligations. Developers must provide deployers with technical documentation covering intended uses, known harmful uses, training data categories, known limitations, and instructions for appropriate use and human review. Trade secrets and model weights are protected.
• Deployer notice. Clear and conspicuous notice at the point of interaction with a covered ADMT.
• Post-adverse-outcome disclosure. A plain-language description of the ADMT’s role within 30 days of an adverse outcome.
• Consumer rights. Rights to access personal data used by the ADMT, correct factually incorrect data (excluding opinions, predictions, and scores), and request meaningful human review of adverse decisions.
• Recordkeeping. Three-year retention for both developers and deployers.
• Enforcement. Exclusive AG enforcement under the Colorado Consumer Protection Act, with a 60-day right to cure violations.

The original AI Act imposed substantive obligations on AI development and deployment: how the system must be built, tested, and governed. SB 26-189 now imposes procedural obligations around the use of the system: what must be disclosed, who must be notified, which rights consumers can exercise. The center of gravity moves from algorithmic accountability to procedural transparency.

Why the Divergence Matters

For two years, the prevailing assumption among state AI policymakers was that the EU AI Act provided the template. Colorado was the proof of concept. Colorado’s retreat changes that assumption. SB 26-189 was sponsored by the same legislator (Senator Rodriguez) who championed the 2024 original. The state’s pivot is not a partisan rejection of AI regulation; it is a working majority concluding that the EU-aligned model is not the right vehicle (or at least not in the current political climate).

That conclusion has practical consequences for companies with operations in both the US and EU. Colorado now joins California in anchoring a US-state model focused on disclosure, consumer notice, and rights-based remedies enforced through deceptive trade practice statutes. The EU AI Act, even after the provisional political agreement reached on May 7, 2026 to delay application of its high-risk obligations from 2026 to 2027, remains a substantive risk-management regime. That agreement pushes back when the high-risk obligations take effect, but it does not reduce what those obligations require, and as of this writing it is not yet binding law – the European Parliament and the Council of the EU still have to formally adopt it. Multinationals will increasingly need to maintain two compliance postures rather than one harmonized framework.

Practical Takeaways

For in-house counsel and AI governance teams, the rewrite warrants a recalibration of, but not a retreat from, your governance initiatives:

1. Do not dismantle existing AI governance programs. Risk management programs, impact assessments, and alignment with AI Risk Management Frameworks remain valuable across U.S. AI regulations. SB 26-189 removed Colorado’s specific mandate and the associated safe harbor; it did not eliminate the underlying compliance utility.
2. Reassess scope. Companies that were comfortably outside the prior framework may now be in scope for the new one. Two notable omissions from the new framework also warrant attention. First, SB 26-189 eliminates the original AI Act’s exemption for businesses with fewer than 50 full-time employees, potentially bringing smaller organizations into scope. Second, and more significantly, it removes the affirmative duty of reasonable care to avoid algorithmic discrimination, which was the core substantive obligation of the original law. Companies can still face liability for discrimination under existing Colorado anti-discrimination statutes, but the AI-specific duty of care is gone.
3. Audit “materially influence” exposure. The on/off switch for the entire framework is whether an ADMT output materially influences a consequential decision. Mapping current AI tools against the statutory criteria and its express exclusions for “low stakes” business purposes is the first compliance step.
4. Watch AG rulemaking. Colorado’s Attorney General must complete implementing rulemaking by January 1, 2027. Key open questions (such as the contours of “materially influence,” the post-adverse-outcome disclosure mechanics, the standard for meaningful human review) will be resolved through that process.
5. Don’t bank on federal preemption. Federal pressure can reshape the state legislation without displacing it, which is precisely what happened in Colorado. The DOJ AI Litigation Task Force and the White House’s legislative framework are real pressure points, but Congress has repeatedly declined to enact preemptive federal AI legislation, and state AI laws remain in effect pending legislative or judicial action. Compliance teams should assume the state-by-state landscape persists.

The Bigger Picture

Colorado was the bellwether for state AI regulation aligned with the EU model. Its quick about-face, executed with weeks remaining before the original law’s June 30, 2026 effective date and amid active federal pressure on the same statute, is the strongest signal yet that the EU template will not be the dominant US state framework. Whether the replacement model converges nationally or fragments into a patchwork like our existing state-by-state privacy regime remains to be seen.