Most are aware that back in May of 2024, Colorado’s legislature passed and its governor signed into law the Colorado AI Act. This first-of-its-kind comprehensive AI regulatory legislation aimed, among other things, to prevent discrimination in the use of AI technology while encouraging innovation. The law drew heavily from other considered AI regulations in the EU and Connecticut but advanced faster and further than those other laws and was originally set to take effect on Feb. 1, 2026.
Concerned with potential fiscal and implementation impacts of the law, Colorado’s Governor Polis called a special session of the Colorado legislature in Aug. of 2025 to revisit the Colorado AI Act. Specifically, the special session was to look at whether the law should be amended to lessen the impact on business in Colorado and to address potential challenges with its implementation. The result of that special session was no agreement on any changes to the substance of the Colorado AI Act—only a postponement of its implementation until June 30, 2026. A comprehensive rewrite of the law by Senate Majority Leader Rodriguez gained some momentum with revisions that would have maintained consumer protections, streamlined requirements, and included a joint and several liability provision applying to deployers and developers of AI technology should it violate the law. But, in the end, the push of more than 100 technology companies and their 150 lobbyists hired to shape the Rodriguez bill failed when those technology companies refused to accept liability for their technology.
With the start of the Colorado legislative session on Jan. 14, 2026, it was expected that legislators would again revisit the Colorado AI Act and its requirements. With growing business opposition to the law, many believed that many of the law’s requirements would be softened or removed altogether to better accommodate the development of AI in connection with businesses in Colorado. This would also be in keeping with President Trump’s Executive Order proscribing AI regulations that could impede the development of AI technology in the U.S. Industry groups continued to push for the softening or repeal of regulatory requirements while consumer groups continued lobbying for the protections to remain in place. But what has emerged from the Colorado legislative session to date is more of the same—no agreement on any changes. And, the question becomes, should businesses start the process of preparing to comply with the Colorado AI Act.
While the 2026 Colorado legislative session is not set to close until May 13, 2026 and anything can happen between now and then, there has been very little activity or discussion about the Colorado AI Act or possible changes to it coming from the legislature, the Governor’s office, the State’s Attorney General or from the business community thus far in 2026.
The fact that the Governor’s office and Colorado’s Attorney General have been quiet on the Act and possible changes is understandable. Colorado is electing a new governor in Nov. of 2026. The outgoing governor is barred by term limits from running again but, it appears that he is not of a mind to take any key positions on the Act that may impact the gubernatorial election in Colorado for his fellow Democratic party members. One of those Democratic party members running for the Governor’s seat is the current Colorado Attorney General. In a state with mixed political leanings and strong opinions on both sides of the issue, to date, Attorney General Weiser has advocated for the Colorado legislature to carefully consider revisions to the law that move away from prescriptive regulatory regimes to a transparent, inclusive, and credible system for promoting innovation while protecting consumers. Attorney General Weiser has also though, directly challenged President Trump’s AI Executive Order and threats to cut off federal funding for Colorado if it does not repeal its AI Act and called on Congress to take up AI regulation. But, this position fails to coalesce into any concrete set of regulations or rules that are proposed to replace the existing law—only suggestions of an approach and preferred positions. Other Colorado gubernatorial candidates are no more specific on this point, with none offering any comprehensive plan to revise the Colorado AI Act.
There still remains the bones of the Rodriquez compromise bill from August of last year. And while that bill had some promise as a potential workaround, many legislators were alarmed by “big tech’s” powerful push to avoid any and all liability for their products. The complete opposition by the developers of AI technology to any and all liability for the discriminatory or harmful operation of their technology was a harsh wakeup for many legislators involved—one which only reaffirmed the need for regulation in this space. And Colorado’s position as a leader on this point, with other states and even foreign countries, looking to Colorado and how they handle this legislation serves as motivation for other legislators to see this law through. And so, despite almost immediate opposition, from both the Governor and the bill’s sponsor, since its passage and signing in 2024, the Colorado AI Act remains law.
With no changes made and implementation set for the end of June 2026, companies who use AI technology in Colorado or with Colorado residents should be prepared for what is coming. Under the law, businesses using AI in connection with consequential decisions still need to do the following:
- AI Risk Assessments – Prior to starting use of AI and on an annual basis thereafter (and after any substantial changes to the program), business using AI must conduct an impact risk assessment which must include: (1) the purpose of the AI use, the actual intended use of the AI technology, the deployment context, and the benefits of the AI system, (2) an analysis of any known or reasonable foreseeable risks of discrimination through the use of the AI technology, the nature of those risks, and mitigation steps taken, (3) a description of the data used to make decisions and the output data of the AI system, (4) the testing done to prevent discrimination and monitor system use, (5) how the business is meeting transparency requirements with respect to the use of the AI technology, and (6) how the business is monitoring and overseeing the deployment of the AI for any issues.
- Consumer Disclosures – The business must disclose on its website the types of high-risk AI systems (i.e., systems making consequential decisions) it is using, how it is mitigating known and foreseeable risks, and, in detail, the nature, source, and extent of the information collected and used by the business with its AI systems.
- Risk Management Programs – deployers of AI technology must implement a risk management policy and program to govern their deployment of the AI technology. The policy must (1) specify the principles, processes, and personnel used to identify and mitigate discrimination in the use of the AI, (2) be an ongoing process that is reviewed and updated regularly, (3) be reasonable, considering factors such as how the program compares to established programs like NIST’s Artificial Intelligence Risk Management Framework or the size and complexity of the business. Of note, one policy or program can cover multiple uses of AI technology where applicable.
- Vendor Agreements – business must make sure that vendors that are supplying AI technology or assisting in the use of the businesses’ AI systems are providing the necessary information for the business to conduct its risk assessments and reporting obligations and working to prevent discrimination.
- Staff Training – businesses must train staff on consumer rights, the requirements of the CO AI Act and how it impacts the operation of the business and its use of the AI systems.
- Process Documentation – the business must document all of its efforts to monitor, evaluate, mitigate, and manage the risks associated with its use of AI systems to make consequential decisions.
These requirements do not have to be overly complex or complicated, but, as indicated above, are going to require some effort, thought, and careful consideration. While it is unknown exactly how the CO AI Act will look come the end of June, 2026, we do know that it is currently the law and, despite near universal condemnation, remains intact. Businesses should prepare for its enactment. And the professionals in the Cybersecurity and Data Privacy Department at Clark Hill, PLC can assist.
This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual author only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.