Colorado SB 26-189 takes effect January 1, 2027. Whether your organization develops AI systems or deploys them in consequential decisions, you need a concrete plan. This checklist breaks the law's requirements into actionable steps organized by role.
Developer Obligations Under Section 6-1-1702
Developers — companies that build or substantially modify AI systems used in consequential decisions — carry the first layer of compliance responsibility. If you sell, license, or provide an AI system that a deployer uses in one of the seven covered domains, these requirements apply to you.
Documentation package. You must provide deployers with a reasonably detailed plain-language description of the intended uses and known limitations of your system. This includes categories of training data used, how the system was evaluated for performance and fairness, and instructions for meaningful human review.
Ongoing updates. When you discover material changes to your system's capabilities or limitations, you must provide updated documentation to deployers within a reasonable timeframe. This is not a one-time obligation — it runs for the life of the developer-deployer relationship.
Contact information. Provide deployers with a way to contact you about the AI system. This sounds trivial but many vendor contracts lack a designated AI governance contact.
Deployer Obligations Under Section 6-1-1704
Deployers — organizations that use AI systems to make or substantially assist in making consequential decisions — face the consumer-facing requirements.
Pre-decision notice. Before using automated decision-making technology (ADMT) in a consequential decision, you must provide clear and conspicuous notice to the consumer. The notice must describe the purpose of the ADMT and the nature of the consequential decision.
Post-adverse-decision notice. Within 30 days of making an adverse consequential decision, provide a plain-language statement explaining the role of ADMT in the decision, the principal factors and logic used, and information about the consumer's right to request human review.
Consumer rights infrastructure. Consumers affected by ADMT-assisted decisions gain rights to access their personal data used in the decision, correct inaccuracies in that data, and request meaningful human review by a qualified person. Your organization needs processes to handle these requests.
Record retention. Maintain records sufficient to demonstrate compliance for at least three years after the consequential decision. This includes notice records, consumer requests, and human review documentation.
Pre-Launch Checklist
Use this checklist before deploying any AI system in consequential decisions after January 1, 2027:
- Identify every AI system used in consequential decisions across the seven covered domains
- Map each system to its developer and verify you have received the required documentation package
- Establish a pre-decision notice process (clear, conspicuous, before the decision)
- Build a post-adverse-decision notice workflow with 30-day delivery timeline
- Create consumer rights intake processes for data access, correction, and human review requests
- Designate and train qualified personnel for meaningful human review
- Implement a record retention policy covering at least three years
- Establish a monitoring process for developer documentation updates
- Document your AI governance program in writing
- Run a tabletop exercise simulating an Attorney General inquiry and 60-day cure response
Check Your AI Governance Posture
Search your company in the AI Clear registry to see how your transparency practices compare.