Colorado has fundamentally reshaped its approach to AI governance, replacing its 2024 comprehensive AI law with a more targeted framework that focuses on automated decision-making technology rather than AI broadly. On May 14, 2026, Governor Jared Polis signed the Colorado Automated Decision-Making Technology (ADMT) Act, which repeals the previous law and reflects a growing global trend toward narrower, sector-specific regulation instead of sweeping AI rules.

The original 2024 Colorado AI Act was celebrated as the nation's first comprehensive AI law when it passed. It regulated high-risk AI systems used in consequential decisions affecting access to financial services, medical care, housing, employment, and other critical domains. However, mounting concerns about overregulation prompted lawmakers to reconsider the approach. The Trump administration's efforts to preempt state AI laws, combined with the European Union's decision in May 2026 to delay implementation of its own AI Act, created pressure for change.

Why Did Colorado Abandon Its Comprehensive AI Law?

The shift reflects a fundamental disagreement about how to regulate emerging technology. Supporters of the original law argued it protected consumers from discriminatory AI systems. Critics contended that broad requirements like mandatory impact assessments and risk management frameworks would stifle innovation and create compliance burdens for companies. A bipartisan legislative committee in Colorado examined these concerns and recommended the changes now embodied in the new ADMT Act.

Interestingly, the new law is not a deregulatory measure, despite eliminating explicit procedural requirements. Instead, it takes a different approach: narrower scope, clearer targets, and stronger liability protections for consumers. The law removes exemptions that previously shielded banks, credit unions, and healthcare organizations from regulation, meaning these sectors now face direct accountability for discriminatory automated decisions.

What Changed in the New Colorado Law?

• Scope Shift: The law moved from regulating "artificial intelligence" broadly to focusing on "automated decision-making technology," which encompasses a wider range of digital systems, including those less sophisticated than modern AI models.
• Expanded Coverage: The amended law removes exemptions for federally regulated sectors like financial services and healthcare, meaning banks, credit unions, and HIPAA-regulated healthcare organizations can no longer claim they are exempt from state AI rules.
• Lower Trigger Threshold: The law now regulates ADMT where it "materially influences" a consequential decision, replacing the previous "substantial factor" standard, which likely set a higher bar for what counts as regulated activity.
• Broader Definition of Consequential Decisions: The law now covers decisions that "relate to" provision of services or access to covered domains, including decisions about pricing, cost-sharing, or compensation that could "materially limit, delay, or effectively deny" a consumer's opportunity in finance, healthcare, housing, employment, education, or essential government services.
• Transparency Over Mandates: Instead of requiring companies to maintain internal governance frameworks, the law now emphasizes transparency and consumer rights, echoing the 1970 Fair Credit Reporting Act (FCRA), which gives consumers the right to know why they were denied credit and to dispute decisions.

How Will Companies Actually Comply?

The removal of explicit governance requirements does not mean companies can ignore best practices. In fact, the law's liability structure may push organizations toward the very governance measures that are no longer mandatory. Developers and deployers of regulated AI systems can no longer shift responsibility for discrimination claims by contract, meaning both parties share accountability.

To manage legal risk and provide satisfactory explanations to consumers about AI-assisted decisions, businesses will likely adopt AI governance frameworks and standards to demonstrate reasonable care. This creates an indirect incentive to implement the kind of structured risk management that the original law required explicitly. Companies have until January 1, 2027, to comply with the new law, giving them more time than the original 2024 Act, which had an implementation date of June 2026.

What Does This Mean for the Broader AI Governance Landscape?

Colorado's shift is part of a larger global pattern. The European Union delayed implementation of its AI Act in May 2026, and the Trump administration has issued executive orders aimed at limiting state AI regulation to promote innovation. However, this does not mean AI regulation is disappearing. Instead, the regulatory climate is moving away from sprawling "comprehensive" frameworks toward tightly focused regulation targeting specific, identified AI harms.

Other states have continued their own AI lawmaking, including regulations under California's Consumer Privacy Act and laws targeting generative AI, chatbots, AI companions, and AI use in healthcare and therapy services. The Colorado ADMT Act demonstrates that narrower, sector-focused approaches can still impose meaningful obligations on companies while reducing the compliance burden of broad rules.

Steps Companies Should Take to Prepare for the New Colorado Law

• Audit Current Systems: Identify all automated decision-making systems used in covered domains such as financial services, healthcare, housing, employment, education, and essential government services to determine which systems fall under the law's scope.
• Review Liability Exposure: Assess contracts with AI developers and deployers to understand that responsibility for discrimination claims cannot be shifted by contract, meaning both parties may face liability for discriminatory outcomes.
• Implement Transparency Mechanisms: Develop processes to provide consumers with clear explanations of AI-assisted decisions and establish channels for consumers to challenge those decisions, consistent with Fair Credit Reporting Act standards.
• Adopt Governance Frameworks: Even though explicit governance requirements were removed, consider adopting AI governance standards and risk management frameworks to demonstrate reasonable care and reduce legal exposure.
• Plan for January 2027: Most provisions of the new law take effect on January 1, 2027, so companies should begin compliance planning now rather than waiting until late 2026.

The Colorado ADMT Act represents a pivotal moment in AI governance. Rather than abandoning regulation, it refocuses it on the sectors and decisions where AI poses the greatest risk to consumers. For companies operating in finance, healthcare, housing, employment, and education, the new law will likely have a direct and visible impact, even if the compliance pathway looks different from the original comprehensive approach.