Colorado Rewrites Its AI Law: What Employers Must Know About SB 26-189

On May 14, 2026, Governor Polis signed Senate Bill 26-189 into law, repealing and replacing Colorado’s 2024 landmark AI law. Senate Bill 26-189 — A Bill Concerning the Use of Automated Decision-Making Technology in Consequential Decisions (“ADMT”) — supersedes SB 24-205 and reshapes the compliance landscape for employers using AI in hiring, compensation, and workforce management. The new law takes effect January 1, 2027, but enforcement is already subject to a legal challenge that has thrown the entire framework into limbo.

The Law is Currently On Hold

On April 9, 2026, Elon Musk’s xAI (developer of the large language model, Grok) filed suit in the U.S. District Court for the District of Colorado against Colorado Attorney General Philip J. Weiser challenging the constitutionality of SB 24-205. On April 24, 2026, the U.S. Department of Justice moved to intervene in support of xAI — marking the first time the federal government has sought to invalidate a state AI law, a direct outgrowth of President Trump’s Executive Order 14365 directing the DOJ to challenge state AI regulations. That same day, xAI and the Attorney General filed a joint motion to stay enforcement, which the Court granted on April 27, 2026. Critically, the Attorney General has stated he does not intend to enforce SB 24-205 or any legislation replacing or amending it — including SB 26-189 — until after the rulemaking process has concluded. In practical terms, the Colorado AI Act is on hold with no firm enforcement date.

A Compliance Reprieve – But Not a Free Pass

SB 26-189 eliminates the most burdensome requirements of its predecessor. Employers who were building compliance programs for SB 24-205 should note what is no longer required:

• No mandatory risk management program aligned to NIST AI RMF or ISO 42001.
• No annual impact assessments within 90 days of deployment.
• No duty to self-report harms to the AG for algorithmic discrimination.
• No freestanding duty of reasonable care to protect consumers from algorithmic discrimination (though anti-discrimination liability under existing state and federal law is preserved).
• No public statement summarizing deployed AI systems and risk management practices.

These are meaningful concessions to the business community. However, employers should not conclude that relaxed statutory duties eliminate underlying risk. The Colorado Anti-Discrimination Act and federal anti-discrimination laws remain fully operative, and SB 26-189 expressly preserves and clarifies liability under those frameworks.

What Remains: From “High-Risk AI” to “Covered ADMT”

SB 26-189 shifts to regulating “Covered ADMT” — defined as any technology that processes personal data and uses computation to generate outputs (predictions, recommendations, classifications, rankings, scores) that are used to make, guide, or assist a decision about an individual. 

The law applies when ADMT “materially influences” a consequential decision in a covered domain.

For employers, covered decisions include hiring, termination, promotion, compensation, and scheduling. The law’s inclusion of differentiated pricing and compensation as consequential decisions is particularly significant for employers using performance scoring, merit pay models, or dynamic compensation tools.  Tools used purely for administrative support will generally fall outside the law’s scope, as will general purpose AI chatbots (e.g., ChatGPT or Claude) that are subject to acceptable-use policies.

Deployer Obligations for Covered ADMT

Employers who deploy AI tools in hiring, performance management, or compensation are “deployers” subject to four primary obligations:

• Recordkeeping — Retain records demonstrating compliance for three years, including ADMT version identifiers, changelogs, and documentation of material changes to risk mitigation.
• Point-of-Interaction Notice — Provide clear and conspicuous notice before using a covered ADMT to materially influence a consequential decision.
• Post-Adverse-Outcome Disclosure — Within 30 days of an adverse outcome (e.g., a rejected job application), provide a plain-language description of the decision, the ADMT’s role, and instructions for requesting additional information.
• Consumer Rights — Applicants have the right to inspect and correct factually inaccurate personal data and to request meaningful human review of adverse decisions where technically feasible.

The statute’s definition of “meaningful human review” is demanding and requires a reviewer who has the authority to override the decision, who considers relevant evidence, is trained for the role, and does not simply default to the system’s output. A recruiter who ratifies an AI-generated ranking without genuine deliberation does not meet this standard.

Liability and the Developer-Deployer Fault Framework

SB 26-189 introduces a comparative fault framework allocating liability between AI developers and the employers who deploy their tools. This directly addresses the liability uncertainty created by Mobley v. Workday – a case in which a job applicant sued an employer for discriminatory outcomes produced by a third-party AI resume screening tool, raising the question of whether employers are liable for bias built into vendor systems chosen and used (but not designed) by employers. Per SB 26-189, employers cannot escape liability for off-label use of AI tools and any contractual provision that would shield a developer or deployer from liability for its own discriminatory acts is void.

Practical Compliance Recommendations

The enforcement stay creates a window of opportunity, not a reason for delay. Here are the immediate steps employers should take, either on their own or with the assistance of legal counsel:

• Identify all AI and automated tools currently used in hiring, performance management, promotion, compensation, and termination decisions.
• Review vendor contracts to understand where liability lies and flag any indemnification provisions that SB 26-189 now voids.
• Begin developing notice and disclosure processes for employees and applicants affected by covered ADMT.

• Design and document a meaningful human review process for adverse AI-assisted employment decisions.
• Monitor AG rulemaking, which must be completed before enforcement can resume.
• Remember that even without enforcement of SB 26-189, discrimination claims arising from AI-assisted employment decisions remain actionable under existing state and federal law.

Questions about how SB 26-189 affects your organization? Contact Daniel Pietragallo and Sarah Andrzejczak at Buchalter.

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.