Use this self-assessment to evaluate your organization's current state of readiness for SB 26-189 compliance. Score each item honestly — the goal is to identify gaps, not to achieve a perfect score.
Section 1: AI System Inventory
Do you maintain a current inventory of all AI systems used in consequential decisions? Organizations that cannot identify their AI deployments cannot comply with any part of the statute. This is the foundational requirement — everything else builds on it.
For each system, have you identified the developer, the deployer role, and the specific consequential decisions it informs? A system-level inventory is necessary but insufficient. You need decision-level mapping: which specific decisions in which domains does each system touch?
Do you know which of the seven covered domains each system operates in? A single AI system may touch multiple domains. A hiring platform's AI might affect employment decisions (covered) and also process data that affects insurance eligibility determinations (also covered).
Section 2: Developer Documentation
Have you received the required documentation package from each AI vendor? This includes intended uses, known limitations, training data categories, evaluation methods, and human review instructions.
Is that documentation current? Documentation received at contract signing may be outdated if the vendor has updated the system. Have you established a process for receiving and reviewing vendor documentation updates?
Does your vendor contract include SB 26-189 compliance provisions? Specifically: documentation delivery requirements, update timelines, cooperation obligations, and record retention commitments.
Section 3: Consumer Notice
Do you have a pre-decision notice process for every ADMT-assisted consequential decision? The notice must be clear, conspicuous, and delivered before the decision is made.
Do you have a post-adverse-decision notice process with a 30-day delivery timeline? This must include a plain-language explanation of ADMT's role, the principal factors and logic, and information about the consumer's right to human review.
Have you tested your notice processes with actual consumers? A notice that is technically compliant but practically incomprehensible does not serve the statute's purpose — and may not survive AG scrutiny.
Section 4: Consumer Rights
Can consumers access the personal data used in ADMT-assisted decisions about them? This requires both a request intake process and a data retrieval capability.
Can consumers correct inaccuracies in their personal data? Correction requests must be processed and the corrected data must flow through to the AI system's inputs.
Can consumers request meaningful human review? This requires designated, qualified reviewers with access to relevant information and override authority.
Section 5: Governance and Cure Preparedness
Do you have a documented AI governance program? A written program demonstrates institutional commitment and provides evidence of good faith in any enforcement proceeding.
Do you maintain compliance records for at least three years? This includes notice records, consumer requests, human review documentation, and vendor communications.
Have you designated a cure response team? The team should include legal, compliance, product, and engineering representation with defined roles and escalation paths.
Do you have remediation playbooks for each major obligation? Pre-built playbooks for notice failures, consumer rights gaps, human review deficiencies, and documentation lapses.
Have you run a cure response tabletop exercise? Simulate an AG inquiry and time your organization's response through the full 60-day cure cycle.
Scoring Your Readiness
Count the questions where your honest answer is "yes" with evidence. 16-18: Strong readiness — you are well-positioned for January 2027. 12-15: Moderate readiness — the framework exists but gaps remain. 8-11: Early stage — significant work needed before enforcement begins. Below 8: Foundation required — start with the AI system inventory and build from there.
Regardless of your score, the first step is the same: search your company in the AI Clear registry to see how your current AI governance posture compares to peers in your industry. That baseline tells you where you stand before you decide where to invest.
Check Your AI Governance Posture
Search your company in the AI Clear registry to see how your transparency practices compare.