Colorado Rewrites Its AI Employment Law: What HR Teams Need to Know About SB 26-189

Colorado repealed its landmark AI Act (SB 24-205) and replaced it with SB 26-189, a narrower framework focused on automated decision-making technology. Here's what changed, what employers must do, and how compliance technology can help navigate the new multi-state AI landscape.

Emily Chen
HR Technology and Compliance Automation Contributor · · 10 min read
Fact-checked

On May 14, 2026, Colorado Governor Jared Polis signed SB 26-189, repealing the state's original Artificial Intelligence Act (SB 24-205) and replacing it with a narrower statute focused on automated decision-making technology. The original law — the first comprehensive state AI regulation in the country — was scheduled to take effect June 30, 2026. Instead, it never went into force.

For HR teams that spent the past year preparing for SB 24-205's sweeping requirements — risk management programs, annual impact assessments, broad public disclosures — the rewrite changes the compliance calculus significantly. But it does not eliminate the obligation to act. SB 26-189 still imposes meaningful transparency, notice, and consumer rights requirements on employers who use automated tools in consequential employment decisions. And it takes effect January 1, 2027, giving organizations roughly six months to prepare.

More critically, Colorado's rewrite is happening against a backdrop of accelerating state-level AI employment regulation across the country. Illinois, New York City, California, and other jurisdictions are imposing their own requirements — with different scopes, different timelines, and different enforcement mechanisms. For multi-state employers, the challenge is no longer a single law. It is a patchwork, and managing it manually is becoming untenable.

What Happened: From SB 24-205 to SB 26-189

Colorado's original AI Act (SB 24-205) was signed in 2024 and represented the most ambitious attempt by any U.S. state to regulate private-sector AI use. It covered any "high-risk artificial intelligence system" that could influence decisions in employment, housing, lending, healthcare, and other critical areas.

For employers, the obligations were extensive:

  • Implement a risk management policy and program for each high-risk AI system
  • Conduct and document annual impact assessments evaluating algorithmic discrimination risk
  • Notify consumers when AI was used in consequential decisions, including disclosure of the system's purpose and the right to appeal
  • Offer human review of adverse decisions where technically feasible
  • Maintain public disclosures about the use of high-risk AI systems
  • Annually review each deployed system for signs of algorithmic discrimination

Industry pushback was substantial. Businesses argued the requirements were too broad and too burdensome, particularly for organizations already navigating overlapping federal and state regulations. The effective date was pushed from February to June 30, 2026, and a legislative task force was convened to reconsider the approach.

The result was SB 26-189, which Governor Polis signed on May 14, 2026. It repeals SB 24-205 entirely and replaces it with a more focused framework.

What SB 26-189 Requires

The replacement law narrows both the scope of regulated technology and the obligations imposed on employers (referred to as "deployers" in the statute).

Narrower Definition of Covered Technology

SB 26-189 replaces the broad "high-risk artificial intelligence system" category with a more targeted concept: automated decision-making technology (ADMT). Under the new law, ADMT is defined as technology that processes personal data and uses computation to generate outputs — predictions, recommendations, classifications, rankings, scores, or other information — that are used to make, guide, or assist a consequential decision about an individual.

A consequential decision is defined as one that relates to an individual's access to, eligibility for, or compensation related to employment, education, housing, financial or lending services, insurance, healthcare services, or essential government services and public benefits.

This means the law still covers AI tools used in hiring, promotion, compensation, and termination decisions. But it no longer captures every "high-risk" AI system an organization might deploy across its operations.

What Employers Must Do

Under SB 26-189, employers who deploy covered ADMT must:

  1. Provide consumer notice at the point of interaction with the ADMT — meaning job applicants and employees must be informed when automated technology is being used in a decision that affects them.

  2. Disclose the ADMT's role in adverse outcomes within 30 days after the system makes a consequential decision that results in an adverse outcome for the individual. The Colorado Attorney General must adopt rules clarifying these post-adverse-outcome disclosure requirements by January 1, 2027.

  3. Honor data rights requests — consumers can request the personal data the ADMT processed and request correction of factually incorrect data.

  4. Provide meaningful human review — consumers can request human review and reconsideration following a covered ADMT making a consequential decision that results in an adverse outcome.

  5. Retain records demonstrating compliance for at least three years.

What Was Removed

Several of SB 24-205's most burdensome requirements are gone:

  • No more mandatory risk management programs — the requirement to implement and maintain a formal risk management policy and program has been eliminated.
  • No more annual impact assessments — the detailed written assessments evaluating algorithmic discrimination risk are no longer required.
  • No more broad public disclosures — the requirement to publish public statements about the use of high-risk AI systems has been replaced with targeted consumer-facing notices.
  • No more "reasonable care" standard — the framework has shifted from a duty-of-care model to a transparency and disclosure model.

Enforcement

The Colorado Attorney General retains exclusive enforcement authority. Violations are treated as deceptive trade practices under the Colorado Consumer Protection Act. Critically, before January 1, 2030, the Attorney General must provide a 60-day notice and opportunity to cure before initiating enforcement action — a significant grace period for employers working in good faith to comply.

There is no private right of action. However, the law does establish how fault is allocated between developers and deployers in civil actions alleging unlawful discrimination under existing law — meaning employers cannot simply shift liability to their AI vendors.

The Multi-State AI Compliance Patchwork

Colorado's rewrite matters in isolation, but it matters even more in context. Employers using AI in employment decisions now face a growing matrix of state and local requirements with different scopes, different compliance mechanisms, and different enforcement timelines.

New York City: Local Law 144

New York City's Local Law 144 has been in effect since July 2023 and remains the most operationally demanding AI hiring law in the country. It requires:

  • Annual independent bias audits of any Automated Employment Decision Tool (AEDT) used for hiring or promotion in NYC
  • Public posting of audit results on the employer's website
  • Ten business days' advance notice to candidates before an AEDT is used
  • Civil penalties of $500–$1,500 per violation per day of noncompliance

Illinois: HB 3773

Illinois HB 3773, effective January 1, 2026, amended the Illinois Human Rights Act to address AI in employment. Key requirements include:

  • Notice to employees and applicants whenever AI is used to influence any employment decision — hiring, promotion, discharge, discipline, or terms of employment
  • Prohibition on using zip codes or other data that serve as proxies for protected characteristics in AI-driven decisions
  • Enforcement by the Illinois Department of Human Rights with civil penalties up to $5,000 per violation

Federal: EEOC Enforcement

At the federal level, the EEOC has made clear that Title VII, the ADA, and the ADEA apply fully to AI-driven employment decisions. Employers are liable for disparate impact caused by automated tools — even when those tools are provided by third-party vendors. The EEOC's position is unambiguous: "the algorithm did it" is not a defense.

Emerging Requirements

California is developing regulations under the Fair Employment and Housing Act that will impose additional requirements on AI in employment. New Jersey and Minnesota have legislation in progress. The trend line is clear: more states are regulating, and each one is doing it differently.

What This Means for Employers

The shift from SB 24-205 to SB 26-189 reduces the compliance burden in Colorado, but it does not reduce the strategic urgency. Employers using AI in employment decisions — from resume screening and candidate ranking to performance evaluation and compensation modeling — need to prepare on multiple fronts.

Immediate Actions

  1. Inventory your AI tools. Identify every automated system used in employment decisions across your organization. Determine which tools qualify as ADMT under SB 26-189 and which are covered by other state or local laws.

  2. Map your jurisdictional exposure. If you hire or employ workers in Colorado, New York City, Illinois, California, or other states with AI employment laws, you need to understand which requirements apply to each workforce segment.

  3. Update candidate and employee notices. SB 26-189 requires notice at the point of interaction with ADMT. Illinois requires notice whenever AI influences an employment decision. NYC requires ten business days' advance notice. Build notice processes that satisfy the most stringent applicable requirement.

  4. Establish human review processes. Both SB 26-189 and NYC Local Law 144 require mechanisms for individuals to appeal adverse decisions. Designate trained personnel and document procedures.

  5. Coordinate with vendors. SB 26-189 requires developers to provide technical documentation describing intended uses, training data categories, known limitations, and instructions for human review. Request this documentation now — and build it into procurement contracts going forward.

Technology-Enabled Compliance

For multi-state employers, managing AI compliance manually — with spreadsheets, email reminders, and ad hoc processes — is a recipe for gaps and failures. The compliance obligations are too varied, the timelines are too tight, and the penalties are too consequential.

Compliance automation platforms can:

  • Maintain a centralized AI tool inventory that maps each system to the jurisdictions and regulations it is subject to
  • Generate and distribute notices tailored to the requirements of each applicable law
  • Track bias audit schedules and store audit results for Local Law 144 and similar requirements
  • Monitor regulatory changes across jurisdictions and flag new obligations as they emerge
  • Maintain audit trails that document compliance efforts for enforcement defense
  • Coordinate vendor documentation by tracking which developers have provided required technical disclosures

As BlueHive notes in its white paper on automating compliance to reduce HR burnout, the volume of compliance obligations in 2026 has outpaced what manual processes can reliably deliver. AI employment laws add another layer of complexity that technology is uniquely positioned to manage.

Looking Ahead

Colorado's rewrite signals a broader recalibration in how states approach AI regulation. The original SB 24-205 was a maximalist framework — comprehensive but operationally heavy. SB 26-189 reflects a growing consensus that transparency and targeted disclosure may be more effective (and more enforceable) than sweeping risk management mandates.

But the patchwork is growing, not shrinking. The Colorado Attorney General is actively developing rulemaking to implement SB 26-189 ahead of the January 1, 2027 effective date. Illinois enforcement is underway. NYC continues to issue guidance on Local Law 144. California's regulations are advancing. And the EEOC is applying existing anti-discrimination law to AI with increasing specificity.

For HR technology teams and compliance officers, the operational question is straightforward: Can your current processes track, document, and adapt to AI employment obligations across every jurisdiction where you operate? If the answer is no, the window to build that capability is narrowing.

Sources

Tags

AI complianceColorado AI ActSB 26-189automated decision-makingHR technologycompliance automationalgorithmic discriminationAI hiring lawsemployment law

Frequently Asked Questions

SB 26-189, signed by Governor Polis on May 14, 2026, repeals and replaces the original Colorado AI Act (SB 24-205). It narrows the scope from regulating all 'high-risk AI systems' to focusing specifically on 'automated decision-making technology' used in consequential decisions like employment, housing, and lending. It takes effect January 1, 2027.

Employers who deploy automated decision-making technology for consequential decisions must provide consumer notice at the point of interaction, disclose the technology's role in adverse outcomes within 30 days, allow consumers to request and correct personal data, and offer meaningful human review of adverse decisions. The annual impact assessment requirement from SB 24-205 has been eliminated.

SB 26-189 removes several of the most burdensome requirements from SB 24-205, including mandatory risk management programs, annual impact assessments, and broad public disclosure mandates. It shifts from a 'reasonable care' standard to a transparency- and disclosure-based framework, and narrows the definition of covered systems from 'high-risk AI' to 'automated decision-making technology' used in specific consequential decisions.

In addition to Colorado, employers must navigate New York City's Local Law 144 (requiring annual independent bias audits of automated employment decision tools), Illinois HB 3773 (mandating notice when AI is used in employment decisions and prohibiting use of zip codes as proxies for race), and emerging requirements in California, New Jersey, and Minnesota. Federal enforcement from the EEOC also applies to AI-driven hiring decisions under Title VII.

Compliance automation platforms can maintain inventories of AI tools used in employment decisions, generate and distribute required candidate and employee notices, track bias audit schedules and results, monitor regulatory changes across jurisdictions, maintain audit trails for enforcement defense, and coordinate vendor documentation requirements — all of which reduce the risk of noncompliance in a rapidly evolving legal landscape.

Related Articles

Never Miss an Update

Join industry professionals who rely on our weekly compliance digest.