Colorado spent two years as the test case for how an American state might regulate artificial intelligence. In 2024 it became the first state to pass a broad AI law, Senate Bill 24-205, which would have forced companies that build or deploy high-risk AI to prove they were guarding against algorithmic discrimination. That law never took effect. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals and replaces it with something far lighter.
For any business running AI agents in lending, credit, or insurance, this is not a story about Colorado backing off. The heavy paperwork is gone, but the part that touches your customers survived, and one quiet change actually widens who has to comply.
What Colorado just did
The original 24-205 was scheduled to take effect February 1, 2026, then slipped to June 30, 2026 after an August 2025 special session. Before that second deadline arrived, lawmakers scrapped the framework entirely. SB 26-189, titled simply "Automated Decision-Making Technology," was sponsored by Senator Robert Rodriguez, the same legislator behind the original bill, along with Senator James Coleman and Representatives Monica Duran and Jennifer Bacon. It is now law. The statute itself takes effect August 12, 2026, and its core compliance obligations are set to begin January 1, 2027.
The new law leans on a single definition. It describes automated decision-making technology, or ADMT, as "a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual." If your AI shapes a consequential decision about a person, it is covered.
What got cut, and what survived
The amendment removed most of what made 24-205 demanding. Gone is the developer and deployer duty of care aimed at preventing algorithmic discrimination. Gone are the mandatory risk management programs, the impact assessments, and the requirement to report discrimination to the attorney general. According to the law firm Hunton Andrews Kurth, the revised law adopts a narrower approach focused on disclosures and transparency around certain automated decision-making technologies.
What stayed is the consumer-facing layer. Developers must hand deployers specific information: intended uses, potentially harmful uses, the categories of training data, and oversight instructions. Individuals keep limited rights, including access to and correction of their data and meaningful human review of an adverse automated decision in defined circumstances. The transparency core, in other words, is intact even as the audit machinery is gone.
The twist that pulls banks in
Here is the part financial institutions should read twice. The original 24-205 carried an entity-level exemption tied to the Gramm-Leach-Bliley Act, which effectively kept many regulated banks and credit unions out of scope. Per an analysis from Cooley, SB 26-189 entirely eliminates that exemption. A covered consequential decision now expressly includes anything that materially limits, delays, denies, or alters a consumer's access to a financial or lending service, or to insurance pricing or coverage.
Interested in implementing similar AI solutions? Discover how PATech Labs can help your business leverage cutting-edge artificial intelligence.
Learn About Our ServicesThe law does carve out the defensive use cases banks rely on: anti-money laundering and counter-terrorist financing controls, fraud prevention, identity verification, sanctions compliance, and cybersecurity. And institutions that already issue adverse action notices under ECOA, Regulation B, or the Fair Credit Reporting Act can satisfy the new notice rules through those existing channels rather than building parallel disclosures. The remaining obligations are practical: a post-adverse-outcome notice within 30 days, meaningful human review on request, three years of record retention, and a website disclosure of the ADMT in use.
What this means if you run AI in finance
The easy read is "delayed and gutted, so relax." That is the wrong read. Three things are true at once.
First, the obligations that survived are the ones that touch real customers, and they now reach banks and lenders that used to sit behind the GLBA shield. The disclosure, human-review, and record-keeping plumbing is cheap to build early and expensive to retrofit after a complaint. We see this constantly when we deploy AI agents for regulated clients: the teams that wired in a human-in-the-loop escalation path from day one move faster later, not slower.
Second, meaningful human review of an adverse automated decision is the load-bearing requirement for AI in credit and insurance. If an agent can decline, reprice, or delay a customer, a person needs to be able to step in and explain the outcome. Design that path into the workflow, not as a bolt-on.
Third, the rulebook is still moving. A Colorado court paused enforcement in April 2026 pending the attorney general's rulemaking, and the office must issue implementing rules by January 1, 2027. Other states and the European Union are not slowing down. Building once to a strict standard, with logging, explainability, and a clean audit trail, beats chasing a different rule in every jurisdiction. For context on how fast AI agents are already moving real money and real decisions, see our earlier piece on agentic payments.
The bottom line
Colorado did not abandon AI regulation. It traded a heavy, discrimination-focused regime for a lighter transparency regime, pushed the clock to 2027, and almost in passing brought regulated financial institutions inside the tent. The compliance burden is smaller than it was, but for banks and lenders it is no longer zero. The smart move is to treat the disclosure and human-review requirements as the floor, build them in now, and stop assuming the next state will be this forgiving.