Colorado landscape
Colorado ADMT law · SB 26-189

Colorado SB 26-189 (ADMT) compliance

Colorado repealed and replaced its AI Act (SB 24-205) in May 2026. The new automated decision-making technology law requires pre-use consumer notices, 30-day adverse-outcome explanations, meaningful human review and developer documentation, effective January 1, 2027.

Effective
Jan 1, 2027
Cure period
60 days
Regulator
Attorney general
Start compliance assessmentBook implementation call

What is Colorado SB 26-189?

Senate Bill 26-189, signed on May 14, 2026, is Colorado's law governing automated decision-making technology (ADMT). It repeals and replaces the Colorado AI Act (SB 24-205), the first comprehensive US state AI law, which never took effect: its start date was delayed from February 1 to June 30, 2026 by SB 25B-004 before SB 26-189 replaced the framework entirely.

What changed: the high-risk AI classification, mandatory risk management programs, annual impact assessments and the duty of care are gone. In their place, SB 26-189 regulates ADMT that materially influences consequential decisions, with duties built around consumer notice, adverse-outcome explanations, meaningful human review and developer documentation.

Effective date

January 1, 2027

Core duties

Notices, 30-day explanations, human review

Complements NIST AI RMF implementation, EU AI Act compliance and the NAIC AI Model Bulletin for insurers. Colorado-licensed insurers should also read the SB 21-169 compliance playbook: insurers complying with that regime are generally deemed compliant with SB 26-189 in the practice of insurance.

Who needs to comply?

Deployers using ADMT in consequential decisions

Organizations whose automated decision-making technology materially influences decisions about education, employment, housing, finance, health care, insurance or government services

ADMT developers

Companies developing or substantially modifying automated decision-making technology used in consequential decisions affecting Colorado

Employers using AI hiring tools

Companies using algorithmic systems for resume screening, candidate evaluation or employment decisions, including for Colorado-resident applicants

Financial institutions

Lenders and financial service providers using ADMT for credit decisions, loan terms or financial products

Healthcare organizations

Providers and payers using ADMT in care access or financial-assistance decisions (HIPAA-covered entities are largely exempt, with limited disclosure duties)

Government agencies

Colorado state and local agencies deploying ADMT that affects access to essential government services and public benefits

How VerifyWise supports SB 26-189 compliance

VerifyWise provides a Colorado SB 26-189 preset that tracks every notice, explanation, review and documentation duty the law requires

SB 26-189 requirement
VerifyWise coverage
Pre-use notice when covered ADMT influences a consequential decision
Per-system notice tracking with records of where and when disclosures appear at consumer interaction points
Adverse-outcome explanation within 30 days
Decision logs and explanation workflows that capture the ADMT's role, data inputs and consumer rights instructions
Meaningful human review and reconsideration
Review queues with trained reviewer assignment, override authority and reconsideration documentation
Developer technical documentation
Structured documentation covering intended uses, known harmful uses, training data categories and known limitations

Additional compliance capabilities

ADMT inventory and scoping

Build an inventory of systems that process personal data and materially influence consequential decisions. The platform helps you classify which technologies qualify as covered ADMT under SB 26-189 and which fall under the statutory exclusions.

Addresses: Both roles: Scoping and classification

Pre-use notice management

Track the clear and conspicuous notices SB 26-189 requires before covered ADMT is used in a consequential decision. The platform records where notices appear, what they say and when they were last reviewed.

Addresses: Deployer obligation: Pre-use consumer notice

Adverse-outcome explanation workflows

When an ADMT materially influences an adverse decision, deployers have 30 days to send a plain-language explanation. The platform manages the clock, the explanation content and the consumer rights instructions that must accompany it.

Addresses: Deployer obligation: 30-day adverse-outcome notice

Human review workflows

Document meaningful human review and reconsideration requests. The platform assigns trained reviewers with override authority, captures the evidence they considered and records the outcome of each reconsideration.

Addresses: Deployer obligation: Meaningful human review

Developer documentation tracking

Maintain the technical documentation developers must give deployers: intended and known harmful uses, training data categories, known limitations and instructions for appropriate use, monitoring and human review.

Addresses: Developer obligation: Documentation and disclosure

Record retention and audit trails

Both developers and deployers must retain compliance records for at least three years. The platform timestamps every notice, explanation, review and documentation update so evidence is ready if the attorney general asks.

Addresses: Both roles: Three-year record retention

All compliance activities include timestamps, assigned owners and audit trails. This systematic documentation satisfies the three-year record retention requirement and keeps evidence ready for attorney general inquiries.

Complete SB 26-189 requirements coverage

VerifyWise provides dedicated tooling for all compliance obligations

12

Compliance requirement areas

12

Areas with dedicated tooling

100%

Coverage of core obligations

Consumer notices3/3

Pre-use notice, adverse-outcome explanation, accessibility

Human review3/3

Review workflows, reviewer training, override records

Developer documentation4/4

Intended uses, limitations, training data, update notices

Records & evidence2/2

Three-year retention, audit trails

Built for Colorado ADMT compliance from the ground up

Notice tracking

Pre-use and adverse-outcome notices per system and decision

Human review queues

Reviewer assignment, training records and override documentation

Developer documentation

Intended uses, limitations and training data categories per system

Multi-state compliance

Integrated view across Colorado, Texas, and federal requirements

Key compliance requirements

Core obligations under Colorado's ADMT law

Pre-use consumer notice

Deployers must provide clear and conspicuous notice before covered ADMT is used to materially influence a consequential decision.

  • Prominent notice at consumer interaction points
  • Explanation that ADMT is or will be used
  • Instructions for obtaining more information
  • Accessible to people with disabilities and limited English proficiency

Adverse-outcome explanation

If covered ADMT materially influences an adverse decision, the deployer must notify the consumer within 30 days.

  • Plain-language explanation of the decision
  • Description of the ADMT's role
  • Instructions for requesting system and data input details
  • Explanation of available consumer rights

Human review and data correction

After an adverse outcome, consumers can request data correction and meaningful human review, to the extent commercially reasonable.

  • Access to and correction of inaccurate personal data
  • Review by a person with authority to override the decision
  • Trained reviewers who do not defer to the automated output
  • Documented reconsideration outcomes

Developer documentation

Developers must give deployers reasonably understandable technical documentation before covered ADMT is used.

  • Intended and known harmful uses
  • Categories of training data, to the extent known
  • Known limitations, risks and uses to avoid
  • Instructions for use, monitoring and human review

Consequential decision areas

Covered ADMT is technology that materially influences decisions in these domains

Education

Enrollment, admissions, financial aid, scholarships

Employment

Hiring, firing, promotion, compensation, work assignment

Housing

Rental applications, tenant screening, housing access

Financial and lending services

Credit, lending, loan terms, financial products

Health care

Care access, treatment decisions, financial assistance

Insurance

Pricing, underwriting, claims decisions, coverage

Government services

Access to essential government services

Public benefits

Benefits eligibility and determinations

Excluded uses: cybersecurity, fraud prevention, spam and robocall filtering, identity verification, anti-money-laundering and system reliability. Legal services, covered under SB 24-205, is no longer a consequential decision domain.

Deployer vs developer obligations

Different requirements based on your role in the ADMT lifecycle

Deployer

Organizations that use covered ADMT to materially influence consequential decisions about consumers

Key obligations

  • Identify covered ADMT used in consequential decisions
  • Provide clear and conspicuous pre-use notice
  • Send adverse-outcome explanations within 30 days
  • Offer meaningful human review and reconsideration
  • Honor data access and correction requests
  • Make notices accessible to all consumers
  • Retain compliance records for at least three years
Compliance deadline: January 1, 2027

Developer

Persons or entities that develop or substantially modify covered automated decision-making technology

Key obligations

  • Document intended and known harmful uses
  • Disclose categories of training data, to the extent known
  • Document known limitations, risks and uses to avoid
  • Provide instructions for use, monitoring and human review
  • Supply information deployers need for their disclosures
  • Notify deployers of material updates or modifications
  • Retain compliance records for at least three years
Compliance deadline: January 1, 2027

Implementation roadmap

A practical path to SB 26-189 compliance before January 1, 2027

Phase 1Months 1-2

Inventory and scoping

  • Identify systems that process personal data
  • Determine which materially influence consequential decisions
  • Map deployer vs developer roles
  • Document statutory exclusions and exemptions that apply
  • Establish governance ownership
Phase 2Months 3-4

Notices and documentation

  • Draft clear and conspicuous pre-use notices
  • Place notices at consumer interaction points
  • Collect developer documentation for purchased systems
  • Prepare technical documentation for ADMT you develop
  • Stand up three-year record retention
Phase 3Months 5-6

Adverse-outcome readiness

  • Define adverse outcomes for each decision domain
  • Build 30-day explanation workflows
  • Template plain-language explanations
  • Set up data access and correction handling
  • Verify notice accessibility requirements
Phase 4Before Jan 1, 2027

Human review activation

  • Designate reviewers with override authority
  • Train reviewers on system limitations and inputs
  • Connect review queues to decision logs
  • Test the end-to-end consumer rights process
  • Track attorney general rulemaking and adjust

Penalties and enforcement

Understanding the enforcement landscape under SB 26-189

Colorado Attorney General enforcement

The Colorado Attorney General has exclusive enforcement authority, with violations treated as unfair or deceptive trade practices under the Colorado Consumer Protection Act. There is no private right of action. The AG must adopt rules clarifying adverse-outcome disclosures by January 1, 2027 and has stated that enforcement will not begin until rulemaking concludes. Contact the AG office at coag.gov.

Unfair or deceptive trade practice

Up to $20,000

Per violation under the Colorado Consumer Protection Act

Cure period

60 days

Notice of violation with opportunity to cure where a cure is possible; sunsets January 1, 2030

Knowing or repeated violations

No cure required

The attorney general may skip the cure period for knowing or repeat violators

Private right of action

None

The attorney general has exclusive enforcement authority

What happened to the affirmative defense?

SB 24-205's affirmative defense for NIST AI RMF or ISO 42001 compliance was repealed along with the rest of that framework. Framework alignment is still the practical way to operationalize SB 26-189's documentation, human oversight and record-keeping duties, and it carries across the other jurisdictions you operate in.

NIST AI RMF

Voluntary alignment with the NIST AI Risk Management Framework

Use case: Operationalizes the inventory, documentation and human oversight duties SB 26-189 expects in practice

VerifyWise: Full NIST AI RMF implementation and evidence generation

ISO 42001

Certification to the ISO 42001 AI management system standard

Use case: Demonstrates systematic governance across every jurisdiction you operate in, not just Colorado

VerifyWise: ISO 42001 readiness assessment and controls mapping

Policy templates

Colorado SB 26-189 policy templates

Access ready-to-use policy templates aligned with Colorado's ADMT law, NIST AI RMF, and ISO 42001

Deployer policies

  • • ADMT Inventory & Scoping Policy
  • • Pre-Use Notice Policy
  • • Adverse-Outcome Explanation Procedures
  • • Human Review & Reconsideration Policy
  • • Data Access & Correction Procedures
  • • Record Retention Policy
  • + 3 more policies

Developer policies

  • • Technical Documentation Standards
  • • Known Limitations Disclosure
  • • Intended & Harmful Use Documentation
  • • Training Data Category Disclosure
  • • Deployer Support Materials
  • • Material Update Notification Policy
  • + 2 more policies

Shared policies

  • • Anti-Discrimination Compliance
  • • Liability Allocation & Contracting
  • • Notice Accessibility Standards
  • • AG Inquiry Response Procedures
  • • Framework Alignment (NIST/ISO)
  • • Multi-State Compliance
  • + 4 more policies
Browse all policy templates

Frequently asked questions

Common questions about Colorado SB 26-189 compliance

Senate Bill 26-189 is Colorado's law governing automated decision-making technology (ADMT). Signed by Governor Polis on May 14, 2026, it repeals and replaces the Colorado AI Act (SB 24-205) and takes effect January 1, 2027. It requires deployers to notify consumers when covered ADMT influences consequential decisions, explain adverse outcomes within 30 days and offer meaningful human review. View the bill at leg.colorado.gov/bills/sb26-189.
It was repealed before it ever took effect. SB 24-205 was signed in May 2024 with an original effective date of February 1, 2026. A special-session bill (SB 25B-004) delayed that to June 30, 2026, and SB 26-189 then repealed and replaced the framework entirely in May 2026. The high-risk AI system classification, mandatory risk management programs, annual impact assessments and the duty of care are all gone from the statute.
January 1, 2027. The attorney general must adopt rules clarifying the content and format of adverse-outcome disclosures by that date, and has stated that enforcement will not begin until rulemaking concludes. Note that enforcement is also subject to ongoing federal litigation (xAI LLC v. Weiser), so organizations should monitor the timeline.
ADMT is technology that processes personal data and uses computation to generate outputs, such as predictions, recommendations, rankings or scores, used to make, guide or assist decisions about an individual. The definition excludes routine tools like antivirus software, firewalls, databases, calculators, spell-checkers, spreadsheets requiring human analysis, tools that only summarize or organize information for human review, and chat tools not used in consequential decisions.
The law only covers ADMT that materially influences a consequential decision, meaning its output is a non-de-minimis factor that affects the outcome, for example by constraining, ranking, scoring, recommending or classifying. Incidental, trivial or clerical uses are out of scope. This is narrower than SB 24-205's "substantial factor" standard for high-risk AI systems.
Decisions affecting education, employment, housing, financial and lending services, health care, insurance, and essential government services and public benefits. Legal services, which appeared in SB 24-205, is no longer on the list. Uses related to cybersecurity, fraud prevention, spam filtering, identity verification, anti-money-laundering and system reliability are excluded.
A decision that denies, terminates, revokes or materially reduces a consumer's access to, eligibility for, selection for or compensation for an opportunity or service in a covered domain, or that results in materially less favorable pricing, costs or terms. Worse terms count, not just outright rejections, so pricing and underwriting decisions can trigger the 30-day explanation duty.
You're a deployer if you use covered ADMT to materially influence consequential decisions about consumers. You're a developer if you create or substantially modify the technology. Some organizations are both. Note that "consumer" is broad: it includes Colorado-resident employees and job applicants, and even non-residents whose access to a Colorado opportunity is being decided.
Two kinds. First, a clear and conspicuous pre-use notice that ADMT is or will be used in a consequential decision, which can be satisfied through prominent public notices at consumer interaction points. Second, if the decision results in an adverse outcome, a notice within 30 days explaining the decision, the ADMT's role, how to request more information and what rights the consumer has. Both must be accessible to people with disabilities and consumers with limited English proficiency.
After an adverse outcome, consumers can request human review and reconsideration, to the extent commercially reasonable. The reviewer must have authority to approve, modify or override the decision, be trained for the review, consider relevant primary evidence, understand the system's intended use and limitations, and must not simply defer to the automated output.
Not as a statutory mandate. SB 26-189 removed SB 24-205's annual impact assessments, NIST-aligned risk management programs, duty of care and attorney general self-reporting. What remains mandatory is narrower: notices, explanations, human review, developer documentation and three-year record retention. Many organizations keep impact assessments as internal best practice since they make the required explanations much easier to produce.
No. The affirmative defense for complying with NIST AI RMF or ISO 42001 was part of SB 24-205 and was repealed with it. Framework alignment is still the practical way to operationalize SB 26-189's documentation, oversight and record-keeping duties, and it carries across other jurisdictions, but it no longer provides a Colorado-specific liability shield.
Yes. Insurers subject to Colorado's insurance algorithm law (SB 21-169) are generally deemed compliant in the practice of insurance. HIPAA-covered entities are largely exempt with limited disclosure duties, and FDA-regulated medical devices are excluded from most requirements. Security, fraud-prevention, identity-verification and anti-money-laundering uses are excluded from consequential decisions.
SB 26-189 allocates liability based on relative fault in discrimination claims arising under existing state anti-discrimination law. Developers are generally not liable when deployers use a system outside its intended or documented use, which makes accurate developer documentation pivotal. Contract terms that indemnify a party for its own violations are void.
Violations are unfair or deceptive trade practices under the Colorado Consumer Protection Act, enforced exclusively by the attorney general with civil penalties of up to $20,000 per violation. Before enforcing, the AG must give a 60-day opportunity to cure where a cure is possible (this sunsets January 1, 2030, and is unavailable for knowing or repeated violations). There is no private right of action. The AG office is at coag.gov.
Yes, if your ADMT materially influences consequential decisions about Colorado consumers, including Colorado-resident employees and job applicants, or about anyone's access to an opportunity in Colorado. Where the developer or deployer is located does not matter.
Yes. VerifyWise provides ADMT inventory and scoping, pre-use notice tracking, 30-day adverse-outcome explanation workflows, human review queues with trained reviewer assignment, developer documentation templates and three-year record retention with full audit trails.

Ready for Colorado SB 26-189 compliance?

Start your compliance journey with our Colorado ADMT assessment and implementation tools. Prepare before the January 1, 2027 effective date.

Start compliance assessmentSchedule consultation
Colorado SB 26-189 (ADMT law) compliance requirements 2027