SB 26-189 vs SB 24-205: What Changed and Why It Matters

In May 2025, Colorado replaced its original AI law before it ever took effect. SB 26-189 repeals SB 24-205 — the Colorado AI Act signed in 2024 — and substitutes a fundamentally different regulatory model. If you are building a compliance program for Colorado's AI requirements, understanding exactly what changed is the starting point. For a complete overview of the new law, see the SB 26-189 pillar page.

Why Colorado Rewrote Its AI Law

SB 24-205, signed by Governor Polis in May 2024, was built around preventing "algorithmic discrimination." It required developers and deployers to conduct impact assessments, implement risk management programs, and take affirmative steps to prevent discriminatory outcomes from high-risk AI systems.

The business community raised significant objections. The law's scope was broad, compliance costs were high (particularly ongoing impact assessments), and the concept of "algorithmic discrimination" created legal ambiguity. Governor Polis expressed concern that the law could discourage AI innovation in Colorado. The legislature agreed to replace it entirely.

SB 26-189 takes a different approach: instead of trying to prevent bad outcomes, it requires transparency about how AI is used and gives consumers rights to understand and challenge automated decisions.

Side-by-Side Comparison

What Was Removed

Three major requirements from SB 24-205 do not exist in SB 26-189.

Algorithmic discrimination duty. SB 24-205 imposed a duty on developers and deployers to avoid algorithmic discrimination — defined as differential treatment or impact on protected classes. SB 26-189 contains no anti-discrimination mandate. The law is purely about disclosure, not outcomes.

Mandatory impact assessments. SB 24-205 required deployers to conduct annual impact assessments for every high-risk AI system, evaluating risks of algorithmic discrimination and documenting mitigation steps. SB 26-189 eliminates this requirement entirely. Organizations that invested in impact assessment infrastructure for SB 24-205 compliance can repurpose that capacity toward other governance activities, but it is no longer a legal obligation under Colorado law.

NIST AI RMF safe harbor. SB 24-205 provided that compliance with the NIST AI Risk Management Framework constituted a defense against enforcement. SB 26-189 does not include this safe harbor. While NIST AI RMF remains an excellent governance framework (and AI Clear's rating methodology is anchored to it), compliance with NIST no longer provides a statutory defense in Colorado.

What Was Added

SB 26-189 introduced several requirements that did not exist under SB 24-205.

Consumer data correction rights. Consumers affected by ADMT-assisted decisions gain the right to access their personal data used in the decision and to correct inaccuracies. This creates an operational requirement: organizations need data retrieval and correction workflows tied to their AI systems.

60-day cure period. Before the Attorney General can pursue penalties for a violation, the company must receive 60 days to remedy the issue. This is one of the most significant features of SB 26-189 — it rewards preparedness over perfection. Organizations with documented governance programs and tested response plans can cure quickly. For details on building a cure response plan, see the cure period guide.

Explicit adverse outcome notice. Within 30 days of making an adverse consequential decision using ADMT, deployers must provide a plain-language statement explaining the technology's role, the principal factors and logic used, and the consumer's right to request human review. SB 24-205 had general transparency requirements but nothing this specific.

Meaningful human review right. Consumers gain an explicit right to meaningful human review by a qualified natural person who has authority to override the automated system's recommendation. This was not specified in SB 24-205. For implementation guidance, see the meaningful human review guide.

Federal entity safe harbors. SB 26-189 adds safe harbors for specific federally regulated activities: insurers under state insurance code, creditors under ECOA/Regulation B/FCRA, HIPAA-covered clinical activities, and FERPA-governed educational activities. These are activity-specific, not organization-wide — an insurer using AI in employment decisions does not get safe harbor coverage for those decisions.

What This Means for Your Compliance Program

If you built a compliance plan around SB 24-205, much of that work is still relevant. The seven covered domains are the same. The concept of consequential decisions is similar. The basic principle — know what AI you deploy and be transparent about it — is unchanged.

What you can remove: Impact assessment workflows designed to evaluate discriminatory outcomes. Algorithmic discrimination testing protocols. NIST safe harbor documentation prepared specifically as a statutory defense.

What you must add: Pre-decision consumer notice processes. Post-adverse-decision notice workflows with a 30-day delivery timeline. Consumer data access and correction capabilities. Meaningful human review infrastructure with qualified reviewers and override authority. A 60-day cure response plan with designated team and remediation playbooks. A three-year record retention policy.

What you should keep: AI system inventories. Vendor documentation requirements. Internal governance documentation. Bias testing (not legally required under SB 26-189, but still best practice). Risk management frameworks anchored to NIST AI RMF and ISO/IEC 42001 — these remain the structural foundation even though the NIST safe harbor is gone.

For a step-by-step implementation plan, see the compliance checklist. To benchmark your organization's current governance posture, use the readiness assessment or search your company in the AI Clear registry.