01What just changed, and why it matters
On May 9, 2026 — three days before this paper's publication — the Colorado General Assembly passed SB 26-189, a complete rewrite of the state's 2024 AI law. The new statute does not amend the old one; it repeals and replaces it. For most businesses reading the headline summary, the rewrite looks like a softening. For healthcare deployers reading the fine print, it is a meaningful expansion of the regulated perimeter.
The law that SB 26-189 replaces — SB 24-205, the Colorado AI Act or "CAIA" — was signed by Governor Jared Polis in May 2024 as the first-in-the-nation comprehensive state AI statute. Governor Polis signed it with reservations, asking the legislature to revisit the law. The legislature could not reach agreement during 2025; a 2025 special session pushed the effective date from February 2026 to June 2026.
By spring 2026, the path for the original law had collapsed. xAI filed a federal constitutional challenge on April 9, 2026. The US Department of Justice intervened April 24. The Colorado District Court stayed enforcement of SB 24-205 on April 27. With the June effective date approaching and the law under federal court stay, the legislature acted. SB 26-189 was introduced May 1, passed both chambers within nine days, and arrived at the Governor's desk on May 9 with broad bipartisan support (House vote: 57–6). The bill takes effect January 1, 2027.
SB 26-189 swaps Colorado's prescriptive risk-management-program regime for a narrower disclosure-and-transparency regime — but it eliminates the federally-regulated-entity exemptions that previously narrowed the original law's healthcare reach, with the net effect that more healthcare entities now sit inside the perimeter, doing less prescribed work but bearing direct AG enforcement exposure under the Colorado Consumer Protection Act.
02"Automated decision-making technology," defined
The most consequential structural change is the redefinition of the regulated subject matter. The original law regulated "high-risk artificial intelligence systems." The new law regulates automated decision-making technology (ADMT), defined functionally rather than technically.
The definition is technology-agnostic. It captures any system — machine-learning, rule-based, statistical, hybrid — that processes personal data and produces output used in a decision about a natural person. The framework's centre of gravity has shifted from "what is the underlying technology" to "what is the technology being used for, and against whom." This is the same conceptual move California's privacy regulator made in its 2024–2025 ADMT regulations under the CCPA, and it represents the emerging consensus in state-level AI regulation.
2.1 What the definition covers
An ADMT must satisfy three elements: it must process personal data; it must use computation to generate output; and the output must be used to make, guide, or assist a decision about an individual. In healthcare deployment this captures prior-authorization recommendation engines, clinical-decision-support systems used in coverage decisions, risk-stratification scoring models, eligibility-determination logic, and the prioritisation logic embedded in utilization-management workflows.
2.2 What the definition excludes
SB 26-189 explicitly excludes: calculators, databases, firewalls, spell-checkers, and certain spreadsheets; tools used solely to summarise, organise, translate, or draft content for human review; advertising, content moderation, cybersecurity, fraud prevention, and AML/CTF compliance systems; consumer-facing LLMs not marketed for consequential decision-making (provided an acceptable use policy accompanies them); and routine clerical tasks. The LLM exclusion is the most interesting policy choice: the moment a general-purpose LLM is integrated into a workflow using its output to make or assist a coverage determination, the exclusion falls away.
03Covered domains and the healthcare hook
SB 26-189 regulates ADMT that materially influences a consequential decision about a consumer in one of seven specified covered domains.
3.1 What "materially influences a consequential decision" means
The mature pre-rulemaking reading is that ADMT that makes the decision autonomously is materially influential; ADMT whose output is typically followed by the human reviewer is materially influential; ADMT used to route, prioritise, or pre-screen in a way that constrains the human reviewer's options is likely materially influential; ADMT used purely advisorily, where the human reviewer routinely overrides or independently evaluates the recommendation, is likely not materially influential. AG rulemaking will define this further.
3.2 The healthcare-deployer reading
For a payer, hospital system, or UM vendor operating in Colorado, three distinct categories of exposure follow. First, prior-authorization AI driving coverage determinations is in-scope. Second, clinical-decision-support systems feeding into coverage or care-management decisions — bed-utilisation models, length-of-stay predictors, discharge-readiness scoring — are likely in-scope when their outputs are operationally treated as decisional rather than advisory. Third, risk-stratification and care-management routing tools are in-scope to the extent they shape access to care.
04Developer and deployer duties
SB 26-189 distributes obligations between developers (entities that create or substantially modify covered ADMT) and deployers (entities that use covered ADMT to make consequential decisions). A single organisation can be both.
4.1 Developer duties
Developers must provide deployers with technical documentation covering: intended uses and unsuitable uses; categories of training data; known limitations and inappropriate uses; instructions for appropriate use including human review. Developers must also notify deployers of material updates and retain records for at least three years.
4.2 Deployer duties
| Obligation | What it means in practice for healthcare deployers |
|---|---|
| Consumer disclosures | Clear notice to the consumer about the use of ADMT in a consequential decision — targeted, not buried in privacy-policy boilerplate. |
| Post-adverse-outcome explanations | When ADMT produces an adverse outcome, a substantive explanation of the decision allowing the consumer to understand its basis. |
| Correction rights | The consumer may correct inaccurate personal data that contributed to the adverse outcome, and the deployer must reconsider the decision in light of corrected data. |
| Meaningful human review | The consumer has a right to request human review of an adverse decision — review that is substantive, not a procedural box-check by a reviewer routinely affirming the ADMT output. |
"Meaningful human review" maps directly onto the same question California SB 1120 addresses (licensed clinician competent to evaluate the specific clinical issues) and Maryland HB 820 addresses through its individual-clinical-picture requirement. A healthcare deployer that has built its workflow to satisfy California's standard is already most of the way to satisfying Colorado's. A deployer whose workflow features human reviewers rubber-stamping ADMT recommendations is exposed under all three regimes simultaneously.
05The eliminated exemptions — and who gets swept in
SB 24-205 contained conditional exemptions for federally-regulated entities — meaning Medicare Advantage organisations, Medicaid managed care plans, and similar federal-payer entities could plausibly argue exemption. SB 26-189 eliminates these exemptions. The Colorado AI Policy Work Group recommended this on the rationale that those entities are among the most consequential users of ADMT in the covered domains.
5.1 Who is now in scope who arguably was not before
- Medicare Advantage organisations operating in Colorado, when using ADMT for Colorado Medicare beneficiary coverage decisions
- Medicaid managed care plans contracted with Colorado HCPF, when using ADMT in utilisation management
- CHIP managed care entities operating in Colorado
- QHP issuers on Connect for Health Colorado, when using ADMT in coverage or pricing determinations
- Federally-qualified health centres and other federally-regulated provider organisations
As of mid-2026, no federal rule of the kind that would qualify for the remaining narrow exemption exists in the healthcare-AI context — CMS-0057-F is an infrastructure rule, not a substantive AI regulation — so the practical effect of the exemption is limited.
06Enforcement, the cure period, and the xAI litigation
6.1 AG-only enforcement via the Colorado Consumer Protection Act
The Colorado Attorney General is the sole public enforcer. Violations are channeled through the Colorado Consumer Protection Act, with a violation of SB 26-189 deemed a deceptive trade practice. Available remedies include civil penalties, restitution, disgorgement, and injunctive relief. There is no private right of action.
6.2 The 60-day notice-and-cure period
Before initiating enforcement, the AG must provide 60 days' notice and an opportunity to cure the alleged violation, where cure is deemed possible. The notice-and-cure provision is scheduled to expire January 1, 2030. After that date, the AG may proceed directly to enforcement. Healthcare deployers should plan their compliance posture around the cure-period availability through 2029, and its unavailability from 2030 forward.
6.3 The xAI v. Weiser litigation
xAI LLC v. Weiser, Civil Action No. 1:26-cv-01515-DDD-CYC (D. Colo.), was filed April 9, 2026, raising First Amendment, Dormant Commerce Clause, Due Process, and Equal Protection challenges to SB 24-205. DOJ intervened April 24. The court stayed SB 24-205 on April 27. SB 26-189 is structured as a repeal and replacement — whether the stay reaches the new statute is an open question the courts will need to resolve.
The first procedural question is whether xAI and DOJ amend their complaint to add SB 26-189 as a target, or whether the parties stipulate to litigation under the new statute. The procedural disposition will likely come within the next 60–90 days. Healthcare deployers should plan to the law as enacted (effective January 1, 2027) and adjust if and when the court intervenes — not delay compliance work in anticipation of judicial relief that may not arrive.
07Timeline and rulemaking
08How SB 26-189 fits into the five-regime landscape
8.1 What sits at the intersection of all five regimes
The healthcare deployer reading this paper alongside SB 1120, HB 820, CMS-0057-F, and EU AI Act Article 12 will find that the architecture which satisfies all five is one architecture:
- An ADMT inventory mapping every AI/algorithmic/decision-support tool in operation and its consequential-decision footprint
- Per-determination evidence binding each specific decision to a specific model version, the specific inputs it conditioned on, and the human-review action that followed
- A consumer-facing rights framework capable of producing disclosures, explanations, correction responses, and human-review escalations on individual request
- A meaningful-human-review workflow satisfying California's licensed-clinician requirement, Maryland's individual-clinical-picture requirement, Colorado's meaningful-review requirement, and the EU AI Act's Article 14 human oversight obligation simultaneously
- An audit-and-evidence-production capability satisfying CMS-0057-F public reporting, state AG inquiries, and EU market surveillance authority requests
09What healthcare deployers should do in the next 90 days
9.1 Build the ADMT inventory and confirm Colorado-operations scope
Begin with a documented inventory of every AI, algorithmic, or rule-based system touching a consequential decision in the healthcare domain for a Colorado consumer — including systems operated by vendors on the entity's behalf. Critically, include systems previously considered exempt under SB 24-205's federally-regulated-entity exemption. Those exemptions are gone. Medicare Advantage plans, Medicaid managed care plans, and CHIP managed care entities operating in Colorado need to assume in-scope.
9.2 Track the AG rulemaking and engage where possible
Mandatory AG rulemaking will produce the most consequential operational guidance before January 1, 2027. The AG's office has historically run rulemaking in a notice-and-comment posture. Healthcare entities operating across multiple state regimes should plan to file comments when notice issues, particularly on the interaction between SB 26-189 and the parallel federal CMS-0057-F infrastructure.
9.3 Architect the per-consumer rights framework now, not in late 2026
The four deployer duties describe operational capabilities, not policy documents. A Colorado-resident enrollee who receives an adverse coverage determination on January 2, 2027 has an immediate right to disclosure, explanation, correction-data-submission, and human-review request. Healthcare deployers should treat the next 33 weeks as the build-and-test window for those processes.
Days 1–30: complete the ADMT inventory for Colorado healthcare operations; identify systems previously assumed exempt; map the gap between current capability and the four deployer duties. Days 31–60: begin building the consumer-disclosure, explanation, correction, and human-review processes; engage Colorado counsel on outstanding questions; file comments on AG rulemaking notice if issued. Days 61–90: end-to-end test the consumer-rights workflows on real consequential decisions; reconcile the resulting architecture against the parallel California, Maryland, federal, and (if applicable) EU regimes.
References & citations
- Colorado General Assembly. Senate Bill 26-189 — Automated Decision-Making Technology. Passed May 9, 2026; awaits Governor's signature.
- Colorado General Assembly. Senate Bill 24-205 — Consumer Protections for Artificial Intelligence (repealed by SB 26-189).
- Szewczyk et al. Colorado Rewrites Its Landmark AI Law: Unpacking SB 26-189. Ballard Spahr CyberAdviser, May 11, 2026.
- Reed Smith LLP. SB 26-189: Colorado Legislature Kicks Off CAIA Rewrite Race.
- Proskauer Rose LLP. Major Developments Put Colorado's AI Law on Ice Ahead of Implementation, May 2026.
- Colorado Newsline. New bill would narrow scope of Colorado's landmark 2024 AI law, May 4, 2026.
- xAI LLC v. Weiser, Civil Action No. 1:26-cv-01515-DDD-CYC (D. Colo., filed April 9, 2026); DOJ complaint in intervention filed April 24, 2026; stay entered April 27, 2026.