ooligo
EN
English en Español es Português (Brasil) pt-BR 日本語 ja Français fr Deutsch de
Subscribe
Tools Comparisons Workflows Stacks Learn
Verticals
RevOps Legal Ops Recruiting & TA Customer Success
Language
English Español Português (Brasil) 日本語 Français Deutsch
GitHub Subscribe
ENTRY TYPE · definition

Colorado AI Act (SB 24-205, now SB 26-189)

By Marius Bughiu Last updated 2026-05-26 Recruiting & TA

The Colorado AI Act began life as SB 24-205, the first US state law imposing EU-style risk-management duties on “high-risk artificial intelligence systems” used to make consequential decisions in employment, lending, housing, healthcare, education, insurance, and essential government services. On May 14, 2026, Governor Jared Polis signed SB 26-189, which repealed SB 24-205 in full and replaced it with a thinner disclosure-and-rights framework targeting “covered automated decision-making technology” (ADMT). The replacement law takes effect January 1, 2027. If you are a deployer using AI in Colorado hiring decisions, what binds you is SB 26-189, not the original SB 24-205 text still circulating in vendor compliance decks.

What the Colorado AI Act is NOT (anymore)

The Colorado AI Act is no longer:

  • An algorithmic-discrimination statute. SB 26-189 stripped out the duty-of-care provisions, the algorithmic-discrimination cause of action, the mandatory impact assessments, and the AI risk-management-program requirement that defined SB 24-205.
  • An EU AI Act analogue. SB 24-205 was modeled on the EU AI Act’s risk-based regime. SB 26-189 pivots away from that model and toward a Colorado-Privacy-Act-style disclosure framework.
  • In force. The original SB 24-205 was scheduled to take effect February 1, 2026, delayed to June 30, 2026 by SB 25B-004 in August 2025, then paused by a federal court on April 27, 2026 (a suit filed by an AI developer that the US Department of Justice intervened in), then repealed by SB 26-189 before its effective date ever arrived. SB 26-189 takes effect January 1, 2027.

A vendor that hands you a “SB 24-205 risk management program” attestation in May 2026 is selling a compliance artifact for a law that no longer exists. The relevant question is what SB 26-189 will require on January 1, 2027.

Who is covered under SB 26-189

The law covers developers and deployers of covered ADMT doing business in Colorado, where the ADMT processes personal data and materially influences a consequential decision in one of seven domains:

  • Employment (hiring, termination, promotion, compensation, scheduling)
  • Education and educational enrollment
  • Housing and residential real estate
  • Financial and lending services
  • Insurance
  • Healthcare
  • Essential government services

For recruiting teams: any AI tool used to screen, rank, score, or otherwise materially influence a hiring, termination, promotion, compensation, or scheduling decision about a Colorado candidate or employee falls within scope. Tools that capture data without scoring (transcription, scheduling, ATS routing) sit outside scope on the same logic as NYC LL 144.

There is no employee-count threshold and no small-business carve-out in the statute as enacted.

What SB 26-189 requires of deployers

Four duties matter for hiring teams:

  1. Pre-use notice. Before using the ADMT to materially influence a consequential decision, the deployer must give the affected consumer (candidate or employee) clear-and-conspicuous notice that an ADMT will be used, what it will do, and what data it will process. A buried clause in a privacy policy does not satisfy this — the standard mirrors the LL144 notice standard.
  2. Post-adverse-decision notice within 30 days. When the ADMT contributes to an adverse outcome (no offer, no promotion, termination, denial of a benefit), the deployer must deliver a plain-language description of the decision, the ADMT’s role in it, and instructions for requesting more information.
  3. Meaningful human review on request. The consumer can request human review and reconsideration. The reviewer must have authority to override, must consider relevant evidence, and must be trained. A recruiter who rubber-stamps the AI-generated ranking does not meet this bar.
  4. Three-year records. The deployer retains compliance records — ADMT version identifiers, changelogs, documentation of material changes to risk mitigation — for three years.

Developer obligations (provide a general statement of intended and known harmful uses, data categories, known limitations, and usage instructions to deployers) are upstream. Most ops teams sit on the deployer side, but the deployer’s diligence checklist now needs the developer-side disclosure as an input.

Enforcement and the rulemaking gap

The Colorado attorney general has exclusive enforcement authority. There is no private right of action. The AG has publicly stated he will not enforce SB 26-189 until rulemaking concludes, and rulemaking has not yet begun as of May 2026. The statute provides a cure period before enforcement actions for non-knowing violations — 60 days in the version that passed.

Practical reading: between now and January 1, 2027, the active legal exposure for AI in Colorado hiring is not the Colorado AI Act itself. It is:

  • Federal Title VII disparate-impact analysis (still fully in force regardless of state AI law churn).
  • The Fair Credit Reporting Act when AI scores are sourced from consumer reporting agencies.
  • NYC LL 144 if you screen any NYC-resident candidates.
  • Illinois AIVIA if you use AI-analyzed video interviews on Illinois candidates.
  • The EU AI Act for high-risk employment AI used on EU candidates (high-risk obligations deferred to December 2, 2027 under the EU Digital Omnibus political agreement reached May 7, 2026, pending formal adoption).

The Colorado AI Act becomes a binding compliance artifact on January 1, 2027 — earlier if a deployer wants to use SB 26-189 readiness as a procurement signal.

Watch-outs for recruiting teams

  • Reading the wrong statute. Vendor compliance pages dated before May 14, 2026 still reference SB 24-205’s high-risk classification, impact-assessment template, and algorithmic-discrimination cause of action. None of those bind any deployer anymore. Confirm the vendor’s compliance posture is keyed to SB 26-189, not its predecessor. Guard: require the vendor to identify the statute version their documentation maps to, with a citation.
  • Treating AG non-enforcement as no-exposure. The AG’s stated intent not to enforce until rulemaking concludes is policy, not statute. Existing federal anti-discrimination law is unaffected by it. Guard: run your bias-audit and notice posture against LL144 + Title VII as the floor; SB 26-189 prep is additive.
  • Confusing “covered ADMT” with “any AI tool.” Tools that do not materially influence a consequential decision are not covered ADMT under SB 26-189 — but the materiality test is fact-specific. A “decision-support” tool whose ranking is followed in 95% of cases is materially influencing the decision regardless of how the vendor labels it. Guard: document the human-review process and the override rate; if reviewers override the AI under 10% of the time, treat the tool as covered.
  • Assuming pre-use notice = the job posting boilerplate. SB 26-189’s notice requirement is structurally similar to LL144’s but the content is different (data categories and ADMT description, not bias-audit summary). A team that already publishes an LL144 notice still needs to reach the SB 26-189 content bar. Guard: maintain two notice templates keyed to jurisdiction, or one merged template that meets both.

What deployers should do now

  1. Inventory every AI tool that materially influences a consequential employment decision about a Colorado candidate or employee — including tools deployed at the sourcing, screening, interviewing, scoring, scheduling, or compensation-recommendation step.
  2. Pull the vendor’s SB 26-189 mapping (not SB 24-205). If the vendor does not yet have one, log the gap and put it on the renewal-review checklist.
  3. Draft the pre-use notice and post-adverse-decision notice template against the statute text. Reuse the LL144 notice infrastructure where you have one; add the missing SB 26-189-specific content.
  4. Define the human-review process and assign the reviewer pool, with override authority and training documented. This is the requirement most likely to surprise teams that have been over-relying on the AI scoring.
  5. Start the three-year record-retention clock on January 1, 2027. Build the records collection into the ATS workflow rather than as a separate audit-prep exercise.

Consult counsel for jurisdiction-specific analysis. The rules will move again during the rulemaking process before the January 1, 2027 effective date.

  • NYC Local Law 144 — the AEDT bias-audit framework that is the operational floor for AI-in-hiring compliance today
  • AI policy for recruiting teams — the internal governance template that wraps SB 26-189, LL144, AIVIA, and EU AI Act obligations together
  • AI screening bias — how bias enters AI hiring tools and what the bias-audit step actually measures
  • EU AI Act for legal teams — the EU regime that SB 24-205 originally mirrored and that SB 26-189 pulled away from
Edit this page on GitHub