The Colorado AI Act in 2026, what small businesses actually need to do right now

The five-sentence version: The original Colorado AI Act (SB 24-205) was signed in May 2024 with a February 2026 effective date. It was then delayed to June 2026, then sued by Elon Musk's xAI, then stayed by a federal court in April 2026, then repealed and replaced entirely on May 14, 2026. The new law is SB 26-189. It uses a completely different framework (automated decision-making technology instead of high-risk AI systems), has a 40-employee carve-out with meaningful exceptions, and does not take effect until January 1, 2027. The penalties are up to $20,000 per violation, enforced exclusively by the Colorado Attorney General with a 60-day cure period.

Two years of whiplash, a quick history

The original Colorado Artificial Intelligence Act, SB 24-205, was signed by Governor Jared Polis in May 2024 as the first comprehensive U.S. state AI law. Modeled loosely on the EU AI Act, it required developers and deployers of "high-risk AI systems" to implement duty-of-care protections, run mandatory risk assessments, and notify the Attorney General of algorithmic discrimination within 90 days.

Then the timeline collapsed. In August 2025, Polis signed SB 25B-004 in a special session pushing the effective date from February 1, 2026 to June 30, 2026, after lawmakers failed to reach an amendment compromise. On April 9, 2026, Elon Musk's xAI filed suit in U.S. District Court for Colorado (X.AI LLC v. Weiser, No. 1:26-cv-01515), alleging First Amendment, Commerce Clause, vagueness, and Equal Protection violations. The U.S. Department of Justice intervened on April 24, focusing on the Equal Protection claim against the law's diversity carve-out.

On April 27, 2026, the U.S. District Court granted a joint motion staying enforcement of SB 24-205, with the Colorado Attorney General agreeing not to promulgate rules or enforce the pending legislation. Three weeks later, on May 14, 2026, Polis signed SB 26-189, which repealed and replaced SB 24-205 entirely (Colorado General Assembly, Holland and Knight, DLA Piper, Brownstein).

The new law is a deliberate pivot away from the EU model toward a leaner transparency-and-disclosure framework. Colorado explicitly chose not to require impact assessments, bias audits, or NIST AI RMF programs. What remains is narrower, more practical, and more SMB-survivable.

What SB 26-189 actually covers

SB 26-189 regulates Automated Decision-Making Technology (ADMT) that "materially influences" a "consequential decision." That phrase is the hinge everything else swings on, and the Attorney General must define it through rulemaking before January 1, 2027.

A consequential decision is any output that does more than incidental things, meaning it ranks applicants, constrains options, or sets a price. An AI that answers FAQ questions is not making a consequential decision. An AI that scores job applicants and filters out the bottom 80 percent is.

Seven domains are covered. Employment decisions, which includes hiring, firing, and compensation. Education. Housing, which covers both rental and purchase of real estate. Financial or lending services. Insurance. Healthcare services. And essential government services and public benefits. If your ADMT touches any of these seven domains and your output materially influences what happens to a real person in Colorado, you are in scope.

What was removed from the original SB 24-205 matters as much as what remained. Annual impact assessments are gone. The 90-day algorithmic discrimination notification requirement to the Attorney General is gone. Mandatory risk-management programs based on NIST AI RMF or ISO 42001 are gone. Duty of care to prevent algorithmic discrimination is gone. What replaced all of that is a notice-and-transparency framework: tell people when AI is influencing decisions about them, explain what happened when the outcome was adverse, and give them a meaningful path to human review.

The 40-employee carve-out, real but conditional

The most important change for small businesses is the headcount threshold. SB 26-189 lowered the employee carve-out from 50 to 40 employees. If you have fewer than 40 employees, you are exempt from most of the law's requirements. But the carve-out has meaningful exceptions that small businesses in certain industries will hit regardless of size.

The carve-out disappears if you use ADMT to materially influence hiring or compensation decisions. The law makes an explicit exception for employment-related ADMT, meaning a 15-person company that uses an AI resume screener for Colorado-based roles is in scope despite being well under the headcount threshold.

The carve-out also disappears in sector-specific domains. A 20-person insurance brokerage in Boulder using AI for underwriting is covered because insurance is one of the seven enumerated domains with no general SMB exemption. A 15-person medical clinic using AI to triage patient appointments is likely covered if the AI materially influences access to care. A 25-person property manager using AI for tenant background checks is covered because housing is a covered domain.

The carve-out also narrows if your company trains the ADMT on its own data rather than using an off-the-shelf model without modification.

There is no revenue threshold in SB 26-189. The carve-out is purely headcount-based, which means a 38-person company with $10 million in revenue is as exempt as a 38-person company with $800,000 in revenue, as long as neither of them uses ADMT in the excepted categories.

What you actually have to do

For SMBs in scope after the carve-out analysis, SB 26-189 requires three things.

Clear and conspicuous notice at the point of interaction. When a customer, applicant, or patient interacts with ADMT that will materially influence a decision about them, they have to know AI is involved. The notice has to be prominent, plain-language, and available before the decision is made, not buried in a terms-of-service page on page twelve.

Plain-language explanation after an adverse outcome. If the AI influences a decision against someone, such as a rejected loan application, a declined rental, a resume that did not advance, or a patient who got routed to a lower-priority care tier, you have 30 days to send that person an explanation in plain language of what the ADMT considered and what role it played. The explanation cannot require them to dig through technical documentation. It has to be something a person without an AI background can understand.

A meaningful human review right. Anyone who receives an adverse decision influenced by ADMT has the right to request human review by a trained, authorized person who does not simply defer to the system's output. That reviewer has to have access to the inputs and factors the AI used, without being required to disclose trade secrets. A rubber-stamp review where the human looks at the AI's score and clicks "confirm" does not satisfy the requirement.

Note what is not required. Impact assessments are not required under Colorado law. Bias audits are not required. A NIST AI RMF program is not required. Annual reports to the Attorney General are not required. The compliance posture is disclosure and access, not certification and audit. That is a meaningfully lighter lift than what the original SB 24-205 demanded, and it is substantially lighter than the EU AI Act for comparable use cases.

Out-of-state businesses serving Colorado residents

SB 26-189 applies to any entity "doing business in Colorado" whose ADMT affects Colorado residents. That phrase has reach.

An employment-context consequential decision reaches out-of-state applicants evaluated for Colorado-based roles. A remote-first company headquartered in Texas that hires for a Boulder office using an AI resume screener is covered by the law, regardless of where the company is incorporated or where the AI runs. A New York property management firm that screens Colorado tenant applications through an AI tool is covered. A Florida-based insurance company underwriting Colorado homeowners is covered.

The connecting thread is whether the person affected is a Colorado resident or is applying for a position, tenancy, loan, policy, or service that is physically or legally located in Colorado. If the answer to either is yes, the out-of-state origin of the AI tool does not create an exemption.

For remote-first SMBs that hire across states, this is the most common overlooked exposure. A 20-person SaaS company in Denver that uses an AI interview scoring tool for all its hires is covered. A 60-person company in Chicago that uses the same tool specifically when evaluating candidates for its Denver positions is also covered, even though it comfortably clears the 40-employee threshold nationally.

Penalties and enforcement

The Colorado Attorney General has exclusive enforcement authority. There is no private right of action, which means individual consumers cannot sue you directly under SB 26-189. Only the AG can bring enforcement action.

Violations are treated as unfair trade practices under the Colorado Consumer Protection Act. The penalty is up to $20,000 per violation. There is a 60-day cure period before enforcement, except for knowing or repeated violations, where the cure period does not apply.

Rulemaking is now mandatory, not permissive as it was under SB 24-205. The Attorney General must complete rulemaking by January 1, 2027, the same day the law takes effect. If rulemaking slips past that date, real enforcement risk slides further out. Watch the Colorado AG's office for the rulemaking schedule, and watch the X.AI v. Weiser docket for any further federal court activity that could complicate the timeline.

Real SMB scenarios that trigger compliance

Five concrete scenarios to test whether your AI use is in scope.

A 30-person SaaS company uses an off-the-shelf AI resume screener for Colorado-based engineering roles. In scope. The employment carve-out exception applies even though the company is well under 40 employees. The AI is materially influencing hiring decisions for Colorado residents.

A 25-person property management company runs AI tenant background checks on Denver apartments. In scope. Housing is a covered domain with no general SMB exclusion. The AI is influencing whether someone can rent a home.

A small insurance brokerage in Boulder with 18 employees uses AI for underwriting scoring. In scope. Insurance is sector-specific, and the carve-out does not apply regardless of headcount.

A 15-person clinic in Colorado Springs uses AI to triage patient appointment priority. Likely in scope if the triage materially influences access to care. Healthcare is a covered domain. A tool that simply routes administrative scheduling without affecting clinical priority is probably not consequential. A tool that affects which patients get seen this week versus next month is.

A 20-person marketing agency in Cheyenne, Wyoming, targets Colorado consumers with AI-driven ad recommendations. Out of scope. Ad targeting is not a consequential decision in the covered domains. The AI is not influencing employment, housing, lending, insurance, or healthcare. It is showing one ad over another.

How it compares to EU AI Act and NYC LL 144

Colorado is now the lightest of the three major frameworks SMBs should understand, which is a significant change from where SB 24-205 sat.

The EU AI Act is risk-based, prohibits certain AI uses outright, imposes pre-deployment conformity assessments for high-risk systems, and carries penalties up to seven percent of global annual turnover. There is no SMB carve-out for high-risk systems. A 35-person company in Germany using AI for employee hiring faces the same requirements as a 35,000-person company. It also reaches non-EU companies whose AI outputs affect EU residents, which is the extraterritorial hook that catches the most SMBs off guard.

New York City Local Law 144 requires any employer or employment agency using an automated employment decision tool for NYC candidates or employees to commission an annual independent bias audit, make the audit results publicly available, and notify candidates at least ten business days before the tool is used. There is no headcount exemption. A two-person recruiting firm in Manhattan that uses an AI resume screener is as covered as a 2,000-person firm.

California's ADMT regulations under the CPPA reach companies with over $25 million in annual gross revenue, 100,000 consumers' data, or 50 percent of revenue from selling consumer data. The consumer right to opt out of solely automated decisions applies regardless of headcount if the revenue threshold is met. California did not adopt the impact-assessment framework; it kept the rights-based structure.

Colorado SB 26-189 is now the most SMB-tolerant of the four frameworks. Notice, explanation, and human review at a 40-employee threshold with a 60-day cure period and $20,000 maximum fines is a proportionate compliance posture. The tradeoff is that it also covers less. An SMB in the seven covered domains still faces real obligations. An SMB outside those domains is essentially unregulated by SB 26-189 regardless of how aggressively it uses AI.

What to do this month

Six steps to take before the Attorney General completes rulemaking and the deadline arrives.

First, inventory your AI systems by business function and flag any that touch the seven covered domains. The list should include every tool that produces a ranking, score, filter, or recommendation that a human uses to make a decision about another person. Include off-the-shelf tools you did not build yourself, because deployers (not just developers) are covered.

Second, map data flows for Colorado residents. If you serve customers, screen applicants, approve tenants, or process patients in Colorado, trace which AI tools touch those interactions and what the outputs look like. If you are outside Colorado but hire for Colorado positions, that is in scope too.

Third, draft point-of-interaction notice templates. These do not have to be legal documents. They have to be plain language and conspicuous. "This application uses AI to help evaluate your eligibility. A human will review AI-assisted decisions." is a starting point. The Attorney General's rulemaking will clarify what conspicuous means by January 2027, so build a template now and plan to refine it.

Fourth, build an adverse-outcome explanation template. For each AI system that influences a consequential decision, write out in plain English what the AI considers and what it would say to someone whose application was declined, application was not advanced, or claim was denied. That explanation has to go out within 30 days of an adverse decision. Having the template ready before the first adverse outcome is much easier than writing it under pressure after.

Fifth, stand up a human-review process. Identify who in your organisation is authorised to review AI-assisted decisions and override them. That person needs access to the inputs the AI used and the latitude to make a different decision without having to justify why they are overriding the model. Document the process. A written procedure that says "if a customer requests human review of an AI-assisted decision, contact [name/role] within X business days" is the minimum viable posture.

Sixth, do not tear down any NIST AI RMF or ISO 42001 work you have already done. Colorado dropped those requirements. New York City, the EU AI Act, the EEOC's guidance on AI-assisted employment decisions, and likely federal AI regulation over the next two years still benefit from that governance infrastructure. Keeping a risk register and a basic governance framework is a no-regret investment regardless of what Colorado ultimately enforces.

Sources

• Colorado General Assembly — SB 24-205 (Original Colorado AI Act)
• Colorado General Assembly — SB 26-189 (Replacement Law, signed May 14, 2026)
• U.S. DOJ — Justice Department Intervenes in xAI Lawsuit Challenging Colorado AI Act
• Holland and Knight — Colorado Governor Signs SB-189 (May 2026)
• DLA Piper — Colorado Pulls Back on AI Regulation
• Norton Rose Fulbright — Colorado Enacts Revised AI Law
• Fisher Phillips — Colorado Moves to Replace AI Bias Audit Law with Transparency Framework
• Baker McKenzie — Federal Court Pauses Enforcement of Colorado AI Law
• Troutman Pepper — Colorado Attorney General Delays Enforcement of Colorado AI Act
• IAPP — The Colorado AI Act: What You Need to Know
• National Association of Attorneys General — Deep Dive into Colorado's Artificial Intelligence Act
• Future of Privacy Forum — FPF Policy Brief on Colorado AI Act