Colorado's legislature moved fast. SB 26-189 passed the Senate on May 7, cleared the House on May 9, and now sits on the governor's desk. Once signed, it replaces the original Colorado AI Act with a disclosure-based regime that takes effect January 1, 2027.
Seven months is not a long runway.
For procurement teams, compliance officers, and anyone evaluating AI vendors for use in consequential decisions, the new law changes what you should be asking for today, not just what your vendors need to produce by January.
What SB 26-189 Actually Requires from Developers
The original Colorado AI Act asked for broad governance and impact assessments. SB 26-189 narrows the scope but sharpens the obligations. Under Section 6-1-1702, developers of covered automated decision-making technology (ADMT) must provide deployers with documentation covering:
- Intended uses and foreseeable misuse scenarios
- Categories of training data used in model development
- Known limitations and failure modes
- Instructions for appropriate human review
This is not optional guidance. It is a statutory requirement, and deployers who cannot demonstrate they received and reviewed this documentation face their own liability exposure under Sections 6-1-1704 and 6-1-1705.
The practical question for procurement: can your current AI vendors produce this documentation? Most cannot. A recent AI due diligence survey found that the majority of AI vendors do not provide technical documentation covering training data provenance, output reliability, or bias testing by default. You have to ask for it, and you need to know what "good" looks like when you get it.
The Seven Covered Domains Create Concentrated Risk
SB 26-189 applies to ADMT used to materially influence consequential decisions in seven domains: education, employment, housing, financial services and lending, insurance, healthcare, and government services.
If your organization operates in any of these sectors, every AI tool touching a consequential decision needs a disclosure audit. That includes the resume screening platform in HR, the credit decisioning model in lending, the risk scoring engine in insurance underwriting, and the patient triage system in healthcare.
The penalty for noncompliance is not a private lawsuit. The Colorado Attorney General holds exclusive enforcement authority under Section 6-1-1706. But the 60-day cure period, which allows organizations to remediate violations before enforcement action, expires January 1, 2030. That cure window is a feature, not a permanent safety net.
Safe Harbors Are Not Immunity
SB 26-189 includes safe harbors for specific regulated entities: insurers (Section 10-3-1104.9), creditors subject to ECOA, Regulation B, and FCRA, HIPAA-covered entities (with carve-outs for employment and financial assistance decisions), and FERPA-regulated institutions.
These safe harbors recognize existing federal compliance obligations. They do not exempt organizations from all SB 26-189 requirements. A lender already complying with ECOA still faces disclosure obligations that go beyond what federal law demands. An insurer governed by NAIC model bulletins still needs to document how its AI systems meet Colorado-specific transparency standards.
Federal compliance is the floor, not the ceiling.
What This Means for Procurement Teams Right Now
The January 2027 effective date is a hard deadline, but the vendor due diligence conversation should start immediately. Here is what to prioritize:
- Audit your AI inventory. Map every AI tool used in the seven covered domains back to a specific vendor and a specific use case. If you do not know what AI your organization is using, you cannot assess your disclosure obligations.
- Request developer documentation now. Do not wait for the law to take effect. Ask vendors for the documentation required under Section 6-1-1702. Their ability (or inability) to produce it tells you something important about their governance maturity.
- Benchmark against independent ratings. Vendor self-attestation is a starting point, not an endpoint. Third-party AI transparency ratings, like those published in the AI Clear registry, evaluate disclosure quality against frameworks including NIST AI RMF 1.0 and ISO/IEC 42001:2023. The registry covers over 500 companies and is publicly accessible at aiclear.org.
- Build the cure period into your risk model. The 60-day cure window is valuable, but only if you can identify violations before the AG does. Continuous monitoring of your vendors' disclosure posture converts a reactive scramble into a manageable compliance process.
The Convergence Problem
Colorado is not acting in isolation. The EU AI Act's transparency obligations under Article 50 take effect August 2, 2026, five months before SB 26-189. Connecticut has approved its own comprehensive AI bill. Organizations operating across jurisdictions face overlapping disclosure requirements on compressed timelines.
The companies that will navigate this well are the ones treating AI vendor due diligence as a standing capability, not a one-time checklist.
The AI Clear public registry rates companies on AI disclosure quality using a 57-criteria rubric across five pillars. Search ratings for your vendors at aiclear.org, or contact the team to request a rating for a company not yet covered.
See where your company stands
AI Clear scores companies on AI transparency. Search the registry or request your scorecard.