Colorado Guts Its Landmark AI Law — Risk Management Out, Disclosure In
Summary: Colorado's governor signed SB 189 on May 14, effectively replacing the nation's first comprehensive AI law with a narrower transparency-only framework.
Key Facts
- Mandatory risk management programs and annual impact assessments — the law's most burdensome provisions — removed entirely
- New statute pivots to developer and deployer disclosure obligations; "duty of care" requirement eliminated
- Effective date shifts from June 30, 2026 to January 1, 2027
- Sector carve-outs added for HIPAA-covered entities, insurers, educational institutions, and FDA-regulated medical devices
- No private right of action; enforcement handled solely by the state Attorney General
Why It Matters
Colorado's original AI Act (SB 24-205) was the first law in the U.S. to impose proactive risk-management obligations on AI deployers — a model other states were watching closely. Its rollback after sustained industry pressure signals that risk-based AI regulation faces a steep climb domestically, especially while federal legislation remains stalled. The remaining disclosure framework still requires companies to surface when consumers are interacting with high-risk AI, but the teeth are largely gone.
Read More
- Colorado AI Act Amended and Effective Date Delayed — Hunton Andrews Kurth
- Colorado Legislature Repeals and Replaces Colorado AI Act — Wilson Sonsini
- Colorado enacts revised AI law — Norton Rose Fulbright