Tool · Colorado SB 26-189 Disclosure-Readiness Checker
Does your AI trigger the Colorado AI law’s disclosure duties?
Five-step decision tree that scopes your automated decision system against Colorado SB 26-189 — the amended AI law, effective January 1, 2027 (it repealed and replaced SB 24-205 before that act took effect). Returns an IN-SCOPE or OUT-OF-SCOPE result for the SB 26-189 disclosure duties, a recommended NIST AI RMF governance baseline, sector overlays (HIPAA, GLBA, FCRA, NYC LL144, etc.), and a countdown to the effective date. Free, on-screen result.
Law firms can write the memo. The MSSP runs the controls. EFROS operates the AI Governance program: inventory, ADS disclosure tooling, vendor BAA verification, audit logging, human oversight, NIST AI RMF risk assessment, board-grade reporting, under one accountable SLA.
Step 1 · Colorado SB 26-189 — consequential decision
Does your AI system make “consequential decisions” about Colorado residents?
Consequential decisions include hiring, lending, housing, insurance, education, employment, healthcare, and legal services. The decision must have a material legal or similarly significant effect on a Colorado resident’s access to that service. Jurisdiction is based on the consumer’s residence — not your headquarters.
What you get back
Scoping, disclosure duties, countdown. No fluff.
IN SCOPE or OUT OF SCOPE for SB 26-189 disclosure
Plain-English scoping under Colorado SB 26-189: does your automated decision system make or substantially inform a consequential decision about Colorado consumers? That is the test that determines whether the disclosure duties apply at all.
SB 26-189 disclosure duties + NIST AI RMF baseline
The surviving Colorado obligations: consumer disclosure when an ADS makes or substantially informs a consequential decision, a public-facing ADS disclosure statement, and the general 'you're interacting with AI' notice. Plus the NIST AI RMF risk assessment and governance program that procurement, insurers, and customers now expect as the operating baseline (ISO/IEC 42001 on top).
Sector-specific overlays that stack
Stacking on top of the SB 26-189 disclosure baseline: Healthcare gets HIPAA + HHS-OCR Section 1557 + FDA SaMD. Financial services gets GLBA Safeguards + SR 11-7 + ECOA + NYDFS Part 500. Employment gets NYC LL144 + Illinois HB 3773 + EEOC. Insurance gets Colorado DOI 10-1-1 + NAIC model. Housing gets FHA + FCRA. Education gets FERPA + Title IX. Legal gets ABA Formal Opinion 512 + state bar opinions.
Countdown to SB 26-189 effective date (January 1, 2027)
Days, hours, minutes until Colorado SB 26-189 takes effect. The amended law was signed May 2026 — it repealed and replaced SB 24-205 before that act took effect. Calibrates your disclosure-readiness and NIST AI RMF rollout against the timeline.
Who runs this
Decision-makers scoping AI exposure ahead of January 2027.
General Counsel
Triage which AI deployments need legal review for Colorado SB 26-189. The decision tree shows which use cases put an automated decision system in scope for the disclosure duties and which fall under the general AI-interaction notice only.
Chief Compliance Officer
Defensible scoping you can take to the board or counsel. The tool maps each surviving SB 26-189 disclosure duty and the recommended NIST AI RMF governance baseline so internal counsel can verify the call.
CISO / Head of AI Governance
Determine where to start the NIST AI RMF risk assessment and governance program, which sector overlays stack, and what SB 26-189 disclosure the ADS requires. Roadmap output ties to the operating baseline procurement and insurers expect.
Founder / COO of a multi-state operation
If you serve any Colorado residents (patients, employees, customers, applicants) and use an automated decision system to make or substantially inform decisions about them, the SB 26-189 disclosure duties can reach you regardless of HQ location. The tool clarifies what that means in practice.
FAQ
Questions about Colorado SB 26-189 scoping.
When does Colorado's AI law take effect?
Colorado SB 26-189 — the amended AI law — takes effect January 1, 2027. It was signed May 14, 2026. The countdown in the tool shows time remaining until the effective date so you can pace your disclosure-readiness and NIST AI RMF rollout.
Wasn't there an earlier Colorado AI Act, SB 24-205?
Yes, and it was repealed and replaced before it ever took effect. SB 24-205 (the original Colorado AI Act / CAIA) created a high-risk-system classification with impact assessments, a risk-management program, a developer and deployer duty of care, right-to-correct/appeal mandates, and a 90-day Attorney-General algorithmic-discrimination notice. SB 26-189 (signed May 14, 2026, effective January 1, 2027) repealed that machinery and replaced it with a narrower transparency/disclosure regime for automated decision systems. If you built a program around SB 24-205's high-risk obligations, the surviving Colorado mandate is now disclosure — though a NIST AI RMF program is still strongly recommended.
Who is in scope: only Colorado-headquartered organizations?
No. SB 26-189 turns on where the consumer (patient, employee, applicant, customer) resides, not where the deployer is headquartered. A New York health system using an automated decision system on a Colorado resident's chart can trigger SB 26-189 disclosure for that interaction. A multi-state employer with a Colorado-resident applicant can be in scope for that hiring decision.
What counts as a 'consequential decision' under SB 26-189?
A consequential decision is one with a material legal or similarly significant effect on a consumer's access to services such as education, employment, financial or lending services, government services, healthcare, housing, insurance, or legal services. SB 26-189's disclosure duties attach when an automated decision system makes or substantially informs such a decision about a Colorado consumer.
What is an 'automated decision system' here?
An automated decision system (ADS) is a system that makes or substantially informs a consequential decision. In practice, if a human reviewer routinely follows the system's recommendation, the ADS is typically in scope. If the system surfaces information but the human decision-maker fully retains agency, you may be outside the ADS disclosure scope — counsel should review the specific use. SB 26-189 dropped the old SB 24-205 'high-risk' classification entirely.
Is there a small-deployer exemption?
SB 26-189 narrows the original act's scope and exempts smaller deployers under defined thresholds. Critically, the risk-management-policy, impact-assessment, and annual-review mandates from the repealed SB 24-205 no longer apply to anyone. SB 26-189's consumer and public ADS disclosure duties, plus any applicable federal baselines (Section 1557, ECOA, Title VII), still apply. Counsel must confirm eligibility for any threshold exemption.
What's the difference between a developer and a deployer?
Developers build or substantially modify an automated decision system; deployers use one in their operations to make or substantially inform consequential decisions. Under SB 26-189 each role carries its own transparency/documentation duties. Most US organizations are deployers using vendor models. Some larger systems with internal data science teams operate as both — a hospital running an internal sepsis model and external scribes, for example.
What's the penalty for non-compliance?
The original SB 24-205 enforcement regime — exclusive Colorado Attorney General enforcement as a deceptive trade practice with civil penalties up to $20,000 per violation — was repealed along with the rest of that act. SB 26-189 carries its own, narrower enforcement keyed to the disclosure duties. Because the old NIST AI RMF rebuttable-presumption safe harbor went away with SB 24-205, NIST AI RMF is now best understood as the operating governance baseline that procurement, insurers, and customers expect — not a statutory safe harbor. Confirm the current penalty mechanics with counsel.
Is this legal advice?
No. Decision tree based on Colorado SB 26-189 (the amended AI law; it repealed and replaced SB 24-205). Not legal advice. EFROS operates AI governance programs — we run the inventory, vendor BAA verification, NIST AI RMF risk assessment, monitoring, and disclosure tooling. We do not provide legal opinions on the law's application to specific facts. Consult counsel before relying on this scoping for compliance decisions.
Disclaimer:Decision tree based on Colorado SB 26-189 (the amended AI law; it repealed and replaced SB 24-205 before that act took effect). Not legal advice. EFROS operates AI governance programs; we do not provide legal opinions on the law’s application to specific facts. Consult counsel before relying on this scoping for compliance decisions. SB 26-189 takes effect January 1, 2027 and may be further amended or clarified by rulemaking; refresh your assessment if material changes are enacted.
Already scoped? Operationalize the program.
The $5k AI Governance audit extends the scoping with M365 Graph deep-scan, AI vendor BAA verification, training-data lineage review, and an executive-ready compliance binder mapped to NIST AI RMF + ISO/IEC 42001 + the Colorado SB 26-189 disclosure baseline. Ten-day delivery.
From scoping to compliance program
EFROS AI Governance service
NIST AI RMF, Colorado SB 26-189, SR 11-7 operating program.
OpenFree AI Risk Score
Multi-framework scoping: Colorado SB 26-189 + NYC LL144 + CA AB 2013 + NIST AI RMF maturity.
OpenColorado AI law (healthcare)
Sector-specific deployer disclosure duties and clinical AI vendor BAA matrix.
OpenNIST AI RMF practical guide
The operating governance baseline procurement and insurers expect.
OpenState AI law tracker
9 active US state AI laws with compliance dates.
OpenAI Governance for law firms
ABA Formal Opinion 512 operationalized.
Open