Colorado's original AI Act, once hailed as the nation's most comprehensive state AI regulation, has been completely repealed and replaced after Elon Musk's xAI filed a federal lawsuit challenging its constitutionality. The legal battle, which also drew intervention from the U.S. Department of Justice, triggered a legislative scramble that resulted in a narrower but potentially broader-reaching replacement law scheduled to take effect January 1, 2027.

What Triggered the Legal Challenge?

On April 9, 2026, xAI, the artificial intelligence company behind the Grok chatbot, filed suit in U.S. District Court for the District of Colorado seeking to block Senate Bill 24-205 on constitutional grounds. The complaint argued the law was unconstitutionally vague, violated the First Amendment through compelled speech, offended the Dormant Commerce Clause by regulating out-of-state actors, and denied equal protection through what xAI characterized as ideologically motivated carve-outs.

The Department of Justice intervened on xAI's side on April 24, marking the first time the federal government had sought to invalidate a state AI law. The DOJ focused on the equal protection argument, contending the law's diversity-oriented provisions constituted impermissible characteristic-based classifications. Three days later, a federal magistrate judge granted a joint motion to stay enforcement of the original law pending resolution of xAI's preliminary injunction motion, effectively freezing SB 24-205 in place.

How Does the New Law Differ From the Original?

The Colorado legislature, working against both the clock and the courts, accelerated its replacement bill. Senate Bill 26-189 passed the House 57-6 and the Senate 34-1, and Governor Polis signed it on May 14, 2026. The new law is materially narrower than its predecessor but removes several significant obligations while potentially expanding the number of affected companies.

The original law regulated "high-risk AI systems," while SB 26-189 regulates "automated decision-making technology" (ADMT), defined as technology that processes personal data to "materially influence" a "consequential decision." Consequential decisions include access to employment, housing, financial services, insurance, healthcare, and education.

Key obligations that were removed include mandatory risk management programs aligned to industry standards like NIST AI RMF or ISO 42001, annual impact assessments within 90 days of deployment, the duty to self-report algorithmic discrimination harms to the Attorney General, and the freestanding duty of reasonable care to protect consumers from algorithmic discrimination.

What Compliance Requirements Remain in Place?

Despite being lighter in obligations, SB 26-189 arguably pulls more entities into scope than its predecessor. The new law retains several key consumer protections and introduces new documentation requirements for both deployers and developers of covered ADMT.

• Consumer Notice: Deployers must notify consumers when covered ADMT is used to make or materially influence a consequential decision affecting them, with clear and understandable language required.
• Post-Adverse-Outcome Disclosure: If covered ADMT contributes to an adverse decision, the affected consumer must receive a plain-language explanation of the system's role within 30 days.
• Record Retention: Deployers must retain compliance documentation for a minimum of three years at the decision level.
• Human Review Right: Consumers can request that a human review a consequential decision influenced by ADMT, and deployers must have a documented operational process for receiving and responding to those requests.
• Developer Documentation: Developers of covered ADMT must supply deployers with technical documentation covering the system's intended uses, known limitations, training data categories, and instructions for appropriate use and monitoring, without requiring disclosure of proprietary source code or model weights.

One of the less-remarked aspects of SB 26-189 is that despite being lighter in obligations, it arguably pulls more entities into scope than its predecessor. The original law contained conditional exemptions for some federally regulated entities. SB 26-189 has eliminated several of those exemptions, bringing additional businesses, particularly in financial services and healthcare, inside the framework. HIPAA-covered entities, for example, are generally exempt under the new law unless they use covered ADMT in employment-related decisions or financial assistance eligibility determinations. The employer-specific exemption for small businesses applies to organizations with 40 or fewer employees, down from 50 under the original law.

What Happens Next With Enforcement and Litigation?

The political irony is substantial. The Colorado Attorney General has stated he does not intend to enforce SB 24-205 or any successor legislation, including SB 26-189, until after the rulemaking process is complete. The Attorney General must adopt implementing rules clarifying key terms including the definition of "materially influence" and setting out consumer rights procedures by January 1, 2027.

The xAI litigation remains technically active. The enforcement stay applies to SB 26-189 as well as the original law, extending until 14 days after the court rules on xAI's preliminary injunction motion. That motion will be filed within 28 days of the state finalizing rulemaking. So enforcement is contingent on rulemaking, which is contingent on Attorney General action, which is currently subject to a court stay.

The practical compliance posture, as multiple law firms have noted, is to build to the statute's text while tracking rulemaking closely. The January 2027 date is the operative target. The federal preemption question also remains unresolved. The Trump Administration has actively pursued preemption of state AI laws, and Colorado's tortured path through repeal-and-replace happened partly in that political context. Whether SB 26-189 survives a federal preemption challenge is genuinely open.

Beyond SB 26-189, three additional Colorado AI bills passed the legislature before the May 13 adjournment and were awaiting Governor Polis's signature: HB 1263 addressing chatbot safety, HB 1139 covering AI in health insurance coverage decisions, and HB 1195 governing AI use by licensed mental health professionals. All carry some veto risk given Polis's track record of skepticism toward stricter tech regulation. For law firms advising clients in healthcare, insurance, or any sector using AI-powered customer interaction tools, these bills are worth tracking in parallel with SB 26-189.