SB 26-189 takes effect January 1, 2027

Colorado AI Act readiness audit

Answer a few questions to see your SB 26-189 readiness gaps and get a personalized PDF report with statute citations and remediation steps. No signup.

Updated for SB 26-189 · verified May 14, 2026

Free, no signup

Processed securely

PDF report to keep

Colorado SB 24-205 was repealed and replaced by SB 26-189 on May 9, 2026.

The new framework takes effect January 1, 2027, drops the risk-management programs, annual impact assessments, and NIST AI RMF rebuttable presumption that defined the original law, and replaces them with a narrower consumer notice + appeal regime. Enforcement runs through CUPA with 60-day notice and opportunity to cure; the Colorado AG must still complete rulemaking.

This audit and its citations are aligned to SB 26-189 as of May 14, 2026.

1. What industry does your company operate in? *

SB 26-189 applies to consequential decisions in education, employment, financial / lending services, housing, insurance, healthcare, and essential government services.

2. What is your role with respect to the AI / ADMT? *

SB 26-189 splits obligations between Developers (build / train the AI) and Deployers (use it in consequential decisions). Most audit-takers are deployers.

Deployer — we use an AI / ADMT in consequential decisions

Developer — we build or train the AI / ADMT others deploy

Both — we build and deploy our own AI / ADMT

Unsure

3. Do any of your users or customers live in Colorado? *

Yes

Unsure

4. How many employees does your company have? *

Under 50

50–200

More than 200

5. Do you provide clear pre-use notice to consumers when ADMT is involved in a consequential decision? *

Sec. 6-1-1703 (as re-enacted by SB 26-189) requires clear and conspicuous notice at the point of interaction that automated decision-making technology is being used.

Yes — we notify consumers before every ADMT-involved consequential decision

Partial — we disclose in some cases but not all

No — we don't currently provide this notice

Unsure

6. After an adverse outcome, do you send a plain-language description of the ADMT's role within 30 days? *

Sec. 6-1-1703 requires deployers to provide a plain-language description of the ADMT's role within 30 days of an adverse decision. AG rulemaking (deadline before January 1, 2027) will refine the format.

Yes — we send a templated plain-language description within 30 days

No — we don't currently send this notice

Unsure

7. Can consumers request meaningful human review of adverse ADMT decisions? *

Sec. 6-1-1703 requires meaningful human review and reconsideration to the extent commercially reasonable — a real person with override authority, not the same automated system.

Yes — labeled pathway, named reviewer with override authority

Partial — review exists but routes to the same system or lacks override authority

No — there's no formal human review process

Unsure

8. Can consumers access and correct the personal data your ADMT uses? *

SB 26-189 grants consumers the Colorado Privacy Act § 6-1-1306 access + correction rights for personal data used by ADMTs. Deployers must accept, process, and respond.

Yes — documented intake, response SLA, correction wired back into the model's data

Partial — intake exists but inconsistent across channels or unclear SLA

No — no formal data access or correction process

Unsure

9. Do you retain compliance records (notices, reviews, requests) for 3 years? *

SB 26-189 requires 3-year retention of compliance records for both developers and deployers. Records substrate the AG's 60-day cure period — without them, cure is much harder.

Yes — append-only retention covering all in-scope compliance activities

Partial — some records retained, coverage or retention period unclear

No — we don't have a 3-year retention policy in place

10. Describe the consequential decision your ADMT makes or influences *

SB 26-189 covers consequential decisions in education, employment, housing, financial / lending services, insurance, healthcare, and essential government services. 1–2 sentences is enough.

Company name *

Used to personalize your PDF report.