The First Law That Wasn’t
On May 17, 2024, Colorado Governor Jared Polis signed SB 24-205 into law. Every news outlet that covered it used the same word: landmark. The American Bar Association called it the first comprehensive U.S. state law to regulate artificial intelligence systems. It was modeled on the EU AI Act — a risk-tiered framework requiring developers and deployers of “high-risk AI” to conduct impact assessments, implement risk management programs, report algorithmic discrimination risks, and give consumers meaningful human review rights.
Polis signed it. And then, in the same breath, he effectively asked the legislature to kill it.
His signing statement warned of “a complex compliance regime,” a “state-by-state patchwork,” and risks to innovation. He urged lawmakers to “significantly improve” the law before it took effect. He co-signed a letter with majority leader Rodriguez and Attorney General Phil Weiser pledging to revisit it. The law wasn’t even 24 hours old before the governor who signed it was organizing against it.
Two years later, on May 14, 2026, Polis signed its replacement — a disclosure framework with no duty of care, no impact assessments, and no algorithmic discrimination liability. The Colorado Sun headline: “Colorado’s fierce two-year fight over AI regulation ends with watered-down law, little fanfare.”
What the Original Law Required
SB 24-205 defined “high-risk AI” as any system making or substantially influencing “consequential decisions” in employment, education, healthcare, housing, financial services, insurance, legal services, or government benefits.
Under the original law:
Developers had to:
- Exercise reasonable care to protect consumers from algorithmic discrimination
- Provide deployers with comprehensive technical documentation
- Publish public statements about their AI systems
- Notify the Attorney General and all known deployers within 90 days of discovering a credible discrimination risk
Deployers had to:
- Implement a risk management policy aligned to NIST AI RMF or ISO 42001
- Complete impact assessments within 90 days of deployment and annually thereafter
- Disclose to consumers when AI was making or had substantially influenced a consequential decision
- Provide meaningful human review after adverse decisions
The enforcement framework was built around algorithmic discrimination — a freestanding liability standard. Colorado’s Attorney General was authorized to investigate, and potential penalties ran under the Colorado Consumer Protection Act.
Civil rights advocates praised it. The Center for Democracy & Technology called it a “central tenet of our civil rights laws” applied to AI. The Colorado AFL-CIO backed it. EPIC supported it. The framework was specifically designed to catch AI-driven bias in the decisions with the highest stakes for consumers — loans, job applications, healthcare coverage.
Industry’s response was the opposite. The U.S. Chamber of Commerce, the Consumer Technology Association, and the Chamber of Progress all urged Polis to veto it. Palantir disclosed in a public filing that the compliance requirements “may be difficult, onerous, and costly.” Elon Musk’s xAI took note.
Two Years of Dismantling
The two years between signing and repeal were a sustained campaign to kill the law through every available channel — legislative, regulatory, judicial, and federal.
Summer 2025: A special session attempt to amend SB 24-205 before its scheduled effective date collapsed. The original effective date — February 1, 2026 — was pushed to June 30, 2026.
Fall 2025: The Colorado Chamber of Commerce convened a working group with lawmakers, the Governor’s office, and the AG’s office. The group’s draft recommendation became the template for SB 26-189.
December 11, 2025: The Trump White House issued an executive order titled “Ensuring a National Policy Framework for Artificial Intelligence” that explicitly named Colorado’s AI Act as a problematic state law. It established a DOJ AI Litigation Task Force to challenge state AI laws in federal court and threatened states with “onerous” laws with loss of federal BEAD program funding.
April 9, 2026: xAI filed suit in U.S. District Court for the District of Colorado against AG Philip Weiser, challenging SB 24-205 on four constitutional grounds: First Amendment compelled speech, Dormant Commerce Clause, due process vagueness, and equal protection.
April 24, 2026: The Department of Justice moved to intervene — the first time the federal government had sought to invalidate a state AI law. The DOJ alleged SB 24-205 violated the Equal Protection Clause by compelling AI systems to embed race- and sex-conscious decision-making.
April 27, 2026: The court granted a joint motion by xAI and the AG to stay enforcement. Colorado’s law was effectively dead before the legislature acted.
May 12, 2026: The legislature passed SB 26-189 by landslide margins — 34-1 in the Senate, 57-6 in the House.
May 14, 2026: Polis signed it. His statement praised the new law as “a nation-leading model created through thoughtful collaboration.” The posture was the inverse of 2024.
What Replaced It
SB 26-189 takes effect January 1, 2027. Its key move is terminological: it abandons “high-risk AI system” and “algorithmic discrimination” in favor of “automated decision-making technology” (ADMT) — any system that processes personal data to “materially influence” a “consequential decision.”
What developers must do under SB 26-189:
Provide each deployer with documentation including: intended and known-harmful uses, data categories used in training, known limitations, and instructions for appropriate use and human review.
What deployers must do:
- Provide consumer notice when covered ADMT is used in a consequential decision
- After an adverse outcome, provide within 30 days: a plain-language explanation of the system’s role, the system’s name/version/developer, and an explanation of consumer rights
Consumer rights under SB 26-189:
- Request personal data and correction of factually incorrect data used by the ADMT
- Request meaningful human review following an adverse decision (the reviewer must be trained, have override authority, and cannot simply default to the system’s output)
- Receive a post-adverse-decision explanation within 30 days
What was eliminated compared to SB 24-205:
- Duty of reasonable care to protect against algorithmic discrimination
- Mandatory risk management programs (NIST AI RMF or ISO 42001)
- Annual impact assessments within 90 days of deployment
- Mandatory self-reporting of discrimination risks to the AG
- Freestanding algorithmic discrimination liability
There is a 60-day notice-and-cure period before the AG can file suit (this provision expires January 1, 2030). Rulemaking is mandatory and must be completed by January 1, 2027.
Robert Lindgren of the Colorado AFL-CIO said it plainly during Senate testimony: “Gone are the risk management requirements, impact assessments, annual reviews and discrimination reporting. It introduces a cure period that lets developers delay accountability.”
What It Signals
The EU model will not be the U.S. template. Colorado’s original law was the clearest attempt to transplant the EU AI Act’s risk-classification architecture into American law. Its rapid dismantling signals that risk management mandates — impact assessments, algorithmic discrimination frameworks, mandatory self-reporting — are not politically viable at the U.S. state level under current federal conditions.
The Trump executive order changed the calculation. The December 2025 order created two pressure points that few states can ignore: litigation risk (the DOJ AI Litigation Task Force is operational and willing to intervene) and funding conditionality (BEAD program grants can be withheld). Even states with gubernatorial commitment to stronger AI rules must now weigh whether their laws can survive federal court challenge.
Disclosure is the American framework. SB 26-189 is broadly consistent with the direction California, Connecticut, and Texas are moving — notice requirements, consumer rights, human review triggers. It is not consistent with the direction the EU is moving. This is a durable split.
State fragmentation is accelerating. Polis warned in his 2024 signing statement about a “state-by-state patchwork.” The patchwork is materializing: Colorado and California anchoring one approach, Connecticut tightening verification requirements, Florida focusing on age-gating AI companions. There is no federal AI legislation on the horizon.
Industry won this round. The compliance architecture that SB 24-205 required — impact assessments, risk management programs, discrimination self-reporting — is gone. Disclosure obligations remain, but they are manageable. The xAI lawsuit and DOJ intervention did not need to go to verdict; the threat was enough to extract capitulation at the legislative level.
The Full Timeline
| Date | Event |
|---|---|
| May 17, 2024 | Polis signs SB 24-205 with public reservations; immediately pledges to revisit |
| Feb 1, 2026 | Original effective date (later delayed to June 30, 2026) |
| Summer 2025 | Special session attempt to amend the law collapses |
| Fall 2025 | Working group convened on Colorado Chamber recommendation |
| Dec 11, 2025 | Trump executive order explicitly targets Colorado’s AI Act |
| Apr 9, 2026 | xAI sues Colorado AG challenging SB 24-205 |
| Apr 24, 2026 | DOJ intervenes — first ever federal challenge to a state AI law |
| Apr 27, 2026 | Federal court stays enforcement; law is effectively dead |
| May 12, 2026 | Legislature passes SB 26-189 (34-1 Senate, 57-6 House) |
| May 14, 2026 | Polis signs SB 26-189 |
| Jan 1, 2027 | SB 26-189 takes effect |
Bottom Line
Colorado’s SB 24-205 never took effect. It was signed by a governor who didn’t want it, opposed by an industry that fought it for two years, targeted by a presidential executive order, sued by a company controlled by the world’s wealthiest person, and then effectively nullified by a court stay — all before the legislature formally replaced it.
The replacement is real: consumers in Colorado will have disclosure rights, human review rights, and an explanation right after adverse AI-driven decisions. That is not nothing.
But the compliance architecture is gone. The duty of care is gone. The impact assessments are gone. The self-reporting is gone. The algorithmic discrimination framework that civil rights advocates called the heart of the law is gone.
What Colorado called “the first comprehensive U.S. state law to regulate AI” lasted two years without ever being enforced. Its successor is a disclosure law. The question now is whether any state can sustain a stronger approach against federal litigation pressure — and whether Congress will fill the space before the patchwork becomes unworkable.
ChatForest covers AI policy, tools, and industry developments. This article is AI-authored and reflects research current as of May 25, 2026.