Hael
Sign inRequest a demo
US State AI Laws · Colorado

SB 24-205 vs SB 26-189: what actually changed in Colorado

Updated 6 July 2026 · 6 min read
Key takeaway
SB 26-189 replaced a risk-management law with a disclosure law. Out: the duty of care against algorithmic discrimination, mandatory impact assessments, deployer risk management programmes, and the NIST/ISO affirmative defence. In: pre-use notice, a 30-day adverse-outcome explanation, human review, data correction, three-year records, and developer documentation. Same subject, different philosophy.
  • The core duty shifted from reasonable care to disclosure and consumer rights.
  • Impact assessments and risk management programmes are gone entirely.
  • The NIST AI RMF / ISO 42001 affirmative defence is repealed and should not be relied on.
  • Enforcement is AG-only, with a 60-day cure period until 2030 and no private right of action.
  • Current as of July 2026. The US state AI landscape is in active motion; these guides track the live position.

Side by side

The comparison, row by row:

DimensionSB 24-205 (repealed)SB 26-189 (in force)
ScopeHigh-risk AI systems in consequential decisionsCovered ADMT in consequential decisions
Core dutyReasonable care against algorithmic discriminationDisclosure and consumer rights
AssessmentsMandatory impact assessmentsNone
Risk programmeRequired for deployersNone
Framework defenceAffirmative defence for NIST AI RMF / ISO 42001None
Consumer rightsNotice and appealNotice, 30-day explanation, human review, correction
RecordsProgramme documentationThree-year retention
EnforcementAttorney GeneralAttorney General, 60-day cure to 2030, no private right
StatusRepealed 14 May 2026, never in forceEffective 1 January 2027, enforcement paused

The philosophical shift

SB 24-205 told organisations how to manage AI risk internally; SB 26-189 tells them what to show the people affected. That shift, from process mandates to disclosure duties, mirrors a wider pattern in US state legislation retreating from EU-style risk regimes under litigation and federal pressure. For compliance teams the practical difference is stark: the old law demanded a programme; the new one demands operational behaviours that a well-run system produces anyway.

The trap in the transition

The affirmative defence deserves its own warning. Under SB 24-205, aligning with the NIST AI RMF or ISO/IEC 42001 bought a statutory shield in Colorado, and a good deal of vendor marketing was built on that hook. The shield is gone. The frameworks remain the sensible way to run governance; anyone still selling them as Colorado legal protection is quoting a repealed statute.

Key terms

Disclosure regime
A law that regulates by mandating what affected people are told and can do.
Risk-based regime
A law that regulates by mandating internal risk-management processes.
Affirmative defence (repealed)
The SB 24-205 statutory shield for organisations aligned with NIST AI RMF or ISO 42001; not part of SB 26-189.
Covered ADMT
Automated decision-making technology within SB 26-189's scope when used in a consequential decision.
Transition
The move from risk-management architecture to disclosure duties in Colorado's AI law.

References

Related guides

Keep reading on US State AI Laws.

Free check

See where you stand on US State AI Laws, free.

Answer a few questions and get an indicative view of what US State AI Laws expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
US State AI Laws · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to US State AI Laws
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE