The First Comprehensive State AI Law Was Dismantled Before It Took Effect
Colorado's SB 24-205 — the first broad-based AI governance statute in the US — was stayed by a federal magistrate judge in April 2026 and replaced by the state legislature in May with a significantly narrower framework. The compliance cliff framing missed the real story: the law did not survive contact with federal litigation and legislative reconsideration.
Colorado's SB 24-205, signed in May 2024, was widely regarded as the first comprehensive AI governance law in the United States. It imposed risk management program requirements on developers and deployers of high-risk AI systems, mandated annual impact assessments, required algorithmic discrimination protections, and assigned accountability obligations that echoed the structural approach of the EU AI Act. Its effective date was set for February 1, 2026, later adjusted to June 30, 2026. Neither date proved relevant. The law is, for practical purposes, no longer in its original form.
The history of SB 24-205 is not a story about a compliance deadline. It is a case study in how state AI legislation encounters federal litigation pressure and legislative reconsideration in rapid sequence. The law that most closely approximated a US equivalent to the EU AI Act's high-risk governance framework was neutralized by both — not replaced by something stronger, but replaced by something that handles a narrower slice of the original problem. Compliance officers and technology leaders who built programs against SB 24-205 are now operating under a materially different requirement.
What happened: two distinct dismantlings
On April 27, 2026, a federal magistrate judge issued a stay of SB 24-205's enforcement pending the resolution of a federal lawsuit challenging the law on preemption and other grounds. That stay suspended the law before its June 30 effective date, removing any immediate enforcement risk but also removing any immediate compliance driver.
Separately and nearly concurrently, the Colorado legislature passed SB 26-189, which Governor Polis signed on May 14, 2026. SB 26-189 does not simply amend SB 24-205 — it replaces its substantive governance architecture. The replacement drops the requirements that defined the original law: the documented risk management programs, the annual algorithmic impact assessments, the algorithmic discrimination duties, and the developer-side obligations that were the structural heart of the original statute. What remains under SB 26-189 is a notice-and-transparency framework: deployers of certain AI systems must provide disclosures and, in some contexts, offer recourse mechanisms. The obligation to build and maintain governance programs is gone.
SB 26-189: what the replacement actually requires
SB 26-189 narrows scope to covered AI systems used in consequential decisions — employment, housing, credit, and similar high-stakes contexts — and imposes disclosure requirements for consumers subject to those decisions. It does not require deployers to conduct impact assessments, maintain risk management documentation, or demonstrate that discriminatory outcomes have been identified and addressed. The architecture shifts from a proactive governance mandate to a reactive notice obligation. That is a significant reduction in the operational burden the original law would have imposed, and a corresponding reduction in the protections it would have created.
Much of the compliance industry's attention to Colorado AI Act focused on preparing for the governance program requirements in SB 24-205. Those preparations — risk inventories, impact assessment frameworks, documentation protocols — were not wrong to build. They map directly to what regulators in financial services and other sectors have been implicitly demanding through SR 11-7, model risk guidance, and examiner expectations. The fact that Colorado's statute no longer requires them does not mean the underlying governance architecture is unnecessary. It means organizations that built it are ahead of what state law requires, not behind it.
The federal preemption question and what comes next
The federal lawsuit that produced the April stay has not been resolved. Its outcome matters for the remaining SB 26-189 framework: if the court determines that federal law preempts state AI regulation of the kind SB 26-189 represents — notice and transparency for AI in consequential decisions — then the replacement statute faces the same litigation exposure as the original. The Great American AI Act, a bipartisan House discussion draft circulated in June 2026, would preempt state AI development regulation while preserving state authority over AI use and deployment. Under that proposed division, SB 26-189's use-layer transparency requirements would likely survive federal preemption even if SB 24-205's development-layer obligations would not. See the Great American AI Act alert for the preemption framework in detail.
For compliance and technology leaders, the practical position is this: Colorado no longer requires the broad governance architecture that SB 24-205 contemplated. But the underlying reasons for building that architecture — examiner expectations, model risk governance, audit defensibility — have not changed. What changed is the source of the compliance driver, not the substance of the underlying risk.
What's next
The federal stay remains in place pending litigation. SB 26-189 takes effect on June 30, 2026, unless further legal action intervenes. Organizations that built governance programs in anticipation of SB 24-205 should confirm their compliance posture against SB 26-189's narrower requirements while preserving the governance documentation that regulators in their primary sector continue to expect. The state AI law patchwork is not resolving — it is evolving in unpredictable directions, and the federal preemption question will define the next phase of that evolution.
Ghost Watch in your inbox
Regulatory signals and analysis, when there is something worth saying. No fixed cadence.
Subscribe →