Colorado ADMT Act vs EU AI Act: a vendor's comparison
- The EU regulates how AI is built and governed; Colorado regulates what affected people are told and can do.
- EU human-oversight design and Colorado human-review are the same operational muscle.
- A vendor governed to EU AI Act depth meets Colorado's duties almost as a by-product.
- Sequence to the deeper standard first; derive the lighter one.
- Current as of July 2026. The US state AI landscape is in active motion; these guides track the live position.
Two regimes, two philosophies
The EU AI Act classifies systems by risk and scales obligations accordingly, up to technical documentation, risk management, data governance, human oversight design, and conformity assessment for high-risk systems, with penalties reaching 35 million euro or 7 percent of turnover. Colorado's SB 26-189 skips classification-by-risk almost entirely: if your technology guides consequential decisions about Colorado residents, you owe notice, explanation, human review, correction, and records, whoever you are. Europe regulates how AI is built and governed; Colorado regulates what affected people are told and can do.
Where they overlap, and where one pays for the other
The overlap is real and useful. The EU's human-oversight requirement and Colorado's human-review right are the same operational muscle. The EU's technical documentation contains everything Colorado's developer documentation asks for. The EU's logging obligations produce Colorado's three-year record as a subset. A vendor governed to EU AI Act depth meets Colorado's duties almost as a by-product; the reverse is not true, Colorado readiness leaves nearly all EU work still to do. For sequencing: build once to the deeper standard, derive the lighter one.
Timing, side by side
EU: prohibitions and literacy duties live since February 2025, GPAI duties since August 2025, and under the provisional May 2026 Omnibus agreement, high-risk obligations from 2 December 2027. Colorado: effective 1 January 2027, enforcement currently paused pending litigation and rulemaking. A vendor's honest planning line: EU buyer diligence is already here, Colorado's duties arrive first on paper, and both reward the same underlying discipline.
Key terms
- Risk-based regime
- A law that scales obligations to the risk of the system, as in the EU AI Act.
- Disclosure regime
- A law that regulates through notice, explanation, and consumer rights, as in Colorado's ADMT Act.
- Human oversight
- The EU AI Act design duty whose operational muscle also satisfies Colorado's human-review right.
- Technical documentation
- The EU high-risk artefact that contains what Colorado asks a developer to hand to a deployer.
- Derive once
- The sequencing principle of building to the deeper standard first and deriving the lighter one.