Colorado Replaces Its AI Act with SB 26-189
Colorado replaced its AI Act with SB 26-189, a disclosure-and-recourse law effective Jan 1, 2027. What changed, what survived, and what insurers must do now.
For Compliance officers, GCs, and actuaries at insurers with Colorado exposure.
Read if You built toward Colorado's old AI Act and need to know what SB 26-189 changes before January 1, 2027.
A carrier’s pricing model had already been through two rounds of legal review when the email arrived: Colorado had rewritten its artificial intelligence law. The deadline everyone had been planning for, June 30, 2026, was gone. In its place stood a new statute, a new effective date of January 1, 2027, and a new question. Was the work already done still useful, or had the target moved so far that compliance officers needed to start over?
For insurers, the answer is closer to a redirection than a reset. Colorado did not drop out of state AI regulation. It replaced SB 24-205, the original Colorado Artificial Intelligence Act, with SB 26-189, a narrower law that swaps the old algorithmic-discrimination framework for a disclosure-and-recourse model. The obligations are different, but they are not optional. Any insurer using automated systems to influence underwriting, pricing, claims, or eligibility decisions in Colorado still has to reckon with this statute before the year turns.
This article explains what changed, what survived, and what compliance, legal, and actuarial teams should do in the next six months.
What just happened
On May 14, 2026, Governor Jared Polis signed SB 26-189 into law, repealing and replacing the Colorado AI Act that had been scheduled to take effect on June 30, 2026.1 The new law takes effect on January 1, 2027.2
The replacement was not a surprise. The original law had been under pressure since late 2025. President Trump’s December 2025 executive order on a national AI policy framework singled out Colorado’s statute as an example of “excessive State regulation,” and the U.S. Department of Justice intervened in a federal lawsuit challenging the law in early 2026.3 The Colorado Attorney General had already agreed to suspend enforcement of SB 24-205 pending a legislative fix or a court ruling.4 The fix arrived first.
SB 26-189 keeps the same basic idea, that automated systems affecting consequential decisions need guardrails, but changes almost every detail of how those guardrails are built.
The biggest shift: from “high-risk AI” to “automated decision-making technology”
The old law regulated “high-risk artificial intelligence systems.” The new law regulates “automated decision-making technology,” or ADMT.5
ADMT is defined as a technology that processes personal data and uses computation to generate outputs, including predictions, recommendations, classifications, rankings, scores, or other information, used to make, guide, or assist a decision, judgment, or determination about an individual.6 The law applies when that ADMT is used to “materially influence” a “consequential decision.”7
A consequential decision is one about a consumer’s access, eligibility, or compensation related to education, employment, housing, financial or lending services, insurance, health-care services, or essential government services.8 Insurance is named explicitly. That means pricing algorithms, underwriting triage tools, claims fraud scoring, and eligibility systems that touch Colorado consumers are still in scope, even if the underlying technology does not look like “AI” in the popular sense.
The definition of ADMT is arguably broader than the old “high-risk AI” definition because it does not require inference. A rules-based system that checks whether an answer falls within a fixed range could qualify.9 The message for insurers is that the legal trigger is no longer the sophistication of the model. It is the decision the system helps make.
What SB 26-189 removed
Several of the most burdensome pieces of SB 24-205 did not survive. Insurers no longer have to:
- Maintain a duty of care to avoid algorithmic discrimination.10
- Implement a mandatory risk management program.11
- Conduct annual impact assessments.12
- Report annually to the Colorado Attorney General.13
For carriers that had already begun building risk-management programs and impact-assessment workflows to meet the old law, this is a partial reprieve. The specific documentation requirements tied to SB 24-205 are gone. But the underlying governance discipline is still worth having, both because other states and NAIC may still expect it, and because Colorado’s new framework is not deregulation in any meaningful sense. It is a different shape of regulation.
What SB 26-189 added
The new law imposes a disclosure-and-recourse framework on developers and deployers of covered ADMT.14
Pre-use notice. Deployers must give consumers clear and conspicuous notice before a covered ADMT is used to materially influence a consequential decision.15 This can be satisfied by a prominent public notice accessible via a link, but the notice must be available at the point of interaction.16
Post-adverse-outcome notice. Within 30 days after a covered ADMT makes a consequential decision that results in an adverse outcome, the deployer must provide a plain-language description of the decision and the ADMT’s role in it.17 The Attorney General must adopt rules clarifying this requirement by January 1, 2027.18
Consumer rights. Consumers can request access to the personal data used by the covered ADMT and correction of factually incorrect personal data.19 They can also request meaningful human review and reconsideration following an adverse outcome.20
Record retention. Both developers and deployers must retain records necessary to demonstrate compliance for at least three years.21
Developer documentation. Developers marketing a covered ADMT must provide deployers with technical documentation covering intended uses, categories of training data, known limitations, instructions for use, and information needed for the deployer’s own disclosures.22 They must also notify deployers of material updates.23
Vendor contract terms. SB 26-189 voids any contract provision that purports to indemnify a party for its own discriminatory acts related to ADMT.24 That sentence should be read twice by anyone negotiating vendor agreements for underwriting or claims systems.
Enforcement: no private right of action, but a tight cure window
The Attorney General enforces the law through the Colorado Consumer Protection Act.25 There is no private right of action.26
Before initiating an enforcement action before January 1, 2030, the AG must give the developer or deployer a 60-day notice and opportunity to cure, if a cure is deemed possible.27 The right to cure does not apply to knowing or repeated violations.28 After 2030, the cure period sunsets. This creates a narrow window in which a carrier can fix a problem without public enforcement, but only if the compliance program can detect the problem quickly enough.
What this means for insurance operations
The compliance task has shifted from proving that your models do not discriminate to proving that consumers know when an automated system is involved, understand adverse decisions, and can get a human to look at the case.
Underwriting and pricing. Any system that scores, ranks, classifies, or recommends an underwriting or pricing decision for Colorado applicants is likely in scope. Pre-use notices may need to be embedded in application flows. Post-adverse-outcome notices will need to be operationalized within 30 days of a declination, surcharge, or other adverse action. The team should map every decision point where an ADMT is used and identify which consumer communications are triggered.
Claims. Fraud detection and claims triage systems that use ADMT are still in scope unless they fall under the cybersecurity or fraud-prevention exemptions.29 The boundary is not always obvious. A fraud model that flags a claim for further review may influence the decision enough to trigger the law, depending on how the flag is used. Claims teams should treat this as a case-by-case review, not a blanket exemption.
Marketing and distribution. Lead scoring, agent-assist tools, and other distribution technologies that affect eligibility or pricing for Colorado consumers may also be covered. The compliance team should inventory these systems alongside core underwriting and claims tools.
Vendor management. The developer documentation requirement and the anti-indemnity provision mean that vendor contracts need two new clauses. First, the vendor must deliver and update documentation that supports the insurer’s pre-use and post-adverse notices. Second, the contract must not try to offload liability for the insurer’s own discriminatory acts. Procurement and legal teams should review every active ADMT vendor agreement before January 1, 2027.
What to do before January 1, 2027
-
Map covered ADMTs. Inventory every system that uses personal data to materially influence a consequential decision about a Colorado consumer. Tag each as developer, deployer, or both. This inventory is the foundation for every other step.
-
Redesign consumer notices. Draft pre-use notices for each consumer-facing ADMT. Build a workflow to generate post-adverse-outcome notices within 30 days. The notices must be plain language and describe the ADMT’s role, not just name the system.
-
Build human-review workflows. For adverse outcomes, define what “meaningful human review” means for each line of business. Identify who reviews, what they review, and how the decision is documented. A rubber-stamp process will not satisfy this requirement.
-
Audit vendor contracts. Check active ADMT vendor agreements for the two Colorado-specific risks: missing documentation for disclosures and indemnity clauses that purport to cover the insurer’s own discriminatory acts. Renegotiate where needed.
-
Start record-retention now. The three-year retention requirement applies to records necessary to demonstrate compliance. If the records are not created now, the insurer cannot prove compliance later. Designate what must be retained, where, and for how long.
The larger signal
Colorado’s rewrite is not an isolated event. It is the first major state AI law to be rolled back and replaced under pressure from the federal executive branch and industry litigation. The new statute is narrower and more disclosure-driven than the old one, but it still leaves insurers with a concrete set of obligations that will be enforced by a state Attorney General.
The lesson is that state AI regulation is still a moving target. The systems that matter are the ones that make or influence decisions about consumers. The compliance model that wins is one that can map those systems quickly, communicate clearly with consumers, and produce a record of review on demand. The insurers that treat SB 26-189 as a cancellation of their Colorado obligations will be the ones scrambling to cure a violation in the second half of 2027.
We track Colorado’s rulemaking and state AI developments weekly. If you are building a broader insurance AI compliance program, see our guide to the NAIC AI Evaluation Tool, our analysis of agentic AI in claims, and the UnitedHealth AI governance case study.
Footnotes
-
Colorado General Assembly, “SB26-189 Automated Decision-Making Technology” (bill summary): https://leg.colorado.gov/bills/sb26-189 ↩
-
Finnegan, “Colorado Replaces Landmark AI Act: An Overview of the New SB 26-189 Framework” (May 26, 2026): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Holland & Knight, “Colorado Governor Signs SB 189, Significantly Amending the State’s AI Law” (May 18, 2026): https://www.hklaw.com/en/insights/publications/2026/05/colorado-governor-signs-sb-189 ↩
-
Norton Rose Fulbright, “Colorado enacts revised AI law” (May 2026): https://www.nortonrosefulbright.com/en-us/knowledge/publications/18733d31/colorado-enacts-revised-ai-law ↩
-
Colorado General Assembly, SB 26-189 bill summary (definitions of ADMT and consequential decision): https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Finnegan, “Colorado Replaces Landmark AI Act” (definition of “materially influence” and “covered ADMT”): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Holland & Knight, “Colorado Governor Signs SB 189” (ADMT scope discussion): https://www.hklaw.com/en/insights/publications/2026/05/colorado-governor-signs-sb-189 ↩
-
Finnegan, “Colorado Replaces Landmark AI Act” (removed requirements): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Holland & Knight, “Colorado Governor Signs SB 189” (eliminated risk management programs and impact assessments): https://www.hklaw.com/en/insights/publications/2026/05/colorado-governor-signs-sb-189 ↩
-
Norton Rose Fulbright, “Colorado enacts revised AI law” (removed annual impact assessments and risk management): https://www.nortonrosefulbright.com/en-us/knowledge/publications/18733d31/colorado-enacts-revised-ai-law ↩
-
Finnegan, “Colorado Replaces Landmark AI Act” (removed reporting requirements): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Colorado General Assembly, SB 26-189 bill summary (consumer notice and rights): https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Holland & Knight, “Colorado Governor Signs SB 189” (notice may be satisfied through prominent public notice): https://www.hklaw.com/en/insights/publications/2026/05/colorado-governor-signs-sb-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary (AG rulemaking by January 1, 2027): https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Holland & Knight, “Colorado Governor Signs SB 189” (anti-indemnity provision); Finnegan, “Colorado Replaces Landmark AI Act” (voiding indemnity for discriminatory acts): https://www.hklaw.com/en/insights/publications/2026/05/colorado-governor-signs-sb-189 ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Finnegan, “Colorado Replaces Landmark AI Act” (no private right of action): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Colorado General Assembly, SB 26-189 bill summary: https://leg.colorado.gov/bills/sb26-189 ↩
-
Finnegan, “Colorado Replaces Landmark AI Act” (cure period exceptions): https://www.finnegan.com/en/insights/articles/colorado-replaces-landmark-ai-act-an-overview-of-the-new-sb-26-189-framework.html ↩
-
Cooley, “The New Colorado AI Act: What Financial Institutions Need to Know” (fraud prevention and cybersecurity carve-outs): https://cdp.cooley.com/the-new-colorado-ai-act-what-financial-institutions-need-to-know/ ↩
Simon Li · Founding Editor
Simon Li is the founding editor of InsureAI Wire, an independent publication tracking how the NAIC and individual states regulate AI in insurance — and translating it into what compliance teams must actually do. Every figure is traced back to a primary NAIC or state source.
Free · Weekly
Track these developments weekly
Get the InsureAI Wire dispatch in your inbox. Free, sourced, no spam.
Free weekly · No spam · Unsubscribe anytime
Related reading
Shadow AI in Insurance: How Undocumented AI Undermines NAIC Exhibit A
Shadow AI breaks the NAIC evaluation tool's Exhibit A inventory. What ungoverned AI use means for insurers, and a 30-day plan to close the gap.
What Trump's AI Executive Order (EO 14365) Means for State Insurance Regulation
What Executive Order 14365 does, why McCarran-Ferguson still shields state insurance AI rules, how the NAIC responded, and what carriers should do now.
AI Vendor Risk Assessment for Insurers (NAIC Checklist)
A practical NAIC-aligned checklist for AI vendor risk assessment: due-diligence questions, contract clauses, and the ongoing monitoring insurers must keep.
NYDFS Circular Letter No. 7 and the AI Underwriting Proxy Test
What NYDFS Circular Letter No. 7 requires for AI and external data in underwriting and pricing: scope, the proxy test, the 15-day notice, and vendor audits.
Information aggregation and analysis, not legal advice. See our disclaimer.