SB 24-205 vs SB 26-189: what actually changed in Colorado
- The core duty shifted from reasonable care to disclosure and consumer rights.
- Impact assessments and risk management programmes are gone entirely.
- The NIST AI RMF / ISO 42001 affirmative defence is repealed and should not be relied on.
- Enforcement is AG-only, with a 60-day cure period until 2030 and no private right of action.
- Current as of July 2026. The US state AI landscape is in active motion; these guides track the live position.
Side by side
The comparison, row by row:
| Dimension | SB 24-205 (repealed) | SB 26-189 (in force) |
|---|---|---|
| Scope | High-risk AI systems in consequential decisions | Covered ADMT in consequential decisions |
| Core duty | Reasonable care against algorithmic discrimination | Disclosure and consumer rights |
| Assessments | Mandatory impact assessments | None |
| Risk programme | Required for deployers | None |
| Framework defence | Affirmative defence for NIST AI RMF / ISO 42001 | None |
| Consumer rights | Notice and appeal | Notice, 30-day explanation, human review, correction |
| Records | Programme documentation | Three-year retention |
| Enforcement | Attorney General | Attorney General, 60-day cure to 2030, no private right |
| Status | Repealed 14 May 2026, never in force | Effective 1 January 2027, enforcement paused |
The philosophical shift
SB 24-205 told organisations how to manage AI risk internally; SB 26-189 tells them what to show the people affected. That shift, from process mandates to disclosure duties, mirrors a wider pattern in US state legislation retreating from EU-style risk regimes under litigation and federal pressure. For compliance teams the practical difference is stark: the old law demanded a programme; the new one demands operational behaviours that a well-run system produces anyway.
The trap in the transition
The affirmative defence deserves its own warning. Under SB 24-205, aligning with the NIST AI RMF or ISO/IEC 42001 bought a statutory shield in Colorado, and a good deal of vendor marketing was built on that hook. The shield is gone. The frameworks remain the sensible way to run governance; anyone still selling them as Colorado legal protection is quoting a repealed statute.
Key terms
- Disclosure regime
- A law that regulates by mandating what affected people are told and can do.
- Risk-based regime
- A law that regulates by mandating internal risk-management processes.
- Affirmative defence (repealed)
- The SB 24-205 statutory shield for organisations aligned with NIST AI RMF or ISO 42001; not part of SB 26-189.
- Covered ADMT
- Automated decision-making technology within SB 26-189's scope when used in a consequential decision.
- Transition
- The move from risk-management architecture to disclosure duties in Colorado's AI law.