Colorado Gutted Its AI Hiring Law 47 Days Early. Keep These 4 Things.

If your TA ops team spent Q1 2026 standing up a NIST-aligned risk program and queuing a bias-audit vendor for your ATS, you just had the rug pulled. On May 14, 2026, Governor Jared Polis signed SB 26-189, repealing SB 24-205 47 days before its June 30 effective date and replacing it with a narrower automated-decision-making regime that lands January 1, 2027. The new law is smaller, but it is not nothing, and "we're done" is the wrong takeaway.

This is what actually changed, what you should shelve, what you should keep building, and the contract language you need to re-paper before the new year.

What Polis signed on May 14

SB 26-189 is titled "A Bill Concerning the Use of Automated Decision-Making Technology in Consequential Decisions." It supersedes SB 24-205, the first comprehensive state AI law in the country, which Polis himself had signed in May 2024 while publicly inviting revisions. The same legislator who championed the original, Senator Robert Rodriguez, sponsored the repeal. The sponsor walked back his own law.

The political vector matters. In December 2025, President Trump's executive order on "Ensuring a National Policy Framework for Artificial Intelligence" specifically targeted SB 205 as "excessive State regulation." On April 9, 2026, xAI sued Colorado Attorney General Philip Weiser in federal court challenging SB 24-205's constitutionality. DOJ moved to intervene in support of xAI, the first time the federal government has sought to invalidate a state AI law. On April 27, the court stayed enforcement. Two and a half weeks later, the rewrite was law.

47

What you can shelve

If your compliance roadmap was built off SB 24-205, four big workstreams just got smaller or vanished.

The NIST AI RMF / ISO 42001 risk program. Gone as a statutory mandate. There is no longer a required risk management program tied to a named framework. If you were sequencing a control library and an internal AI governance committee solely to satisfy SB 24-205, you can downshift that to whatever your enterprise risk team actually needs.

Annual impact assessments within 90 days of deployment. Gone. The formal impact-assessment cadence that the original act imported from data-protection law is not in SB 26-189.

Self-reporting harms to the AG. Gone. The duty to proactively notify the Colorado AG of discovered algorithmic discrimination has been removed.

The freestanding "duty of reasonable care." Gone as its own cause of action. Anti-discrimination liability under existing state and federal law is preserved, but the SB 24-205 invention of a standalone duty to protect consumers from algorithmic discrimination did not survive.

A reasonable chunk of the bias-audit and impact-assessment cottage industry that grew up around SB 24-205 is now sourcing for a regime that does not exist.

What still bites on January 1, 2027

The disclosure-and-rights regime is what survived, and it covers more of your workflow than the consultants are telling you.

The ADMT definition is wide

The statute defines automated decision-making technology as "a technology that processes personal data and uses computation to generate output, including predictions, recommendations, classifications, rankings, scores, or other information that is used to make, guide, or assist a decision, judgment, or determination concerning an individual."

That is your resume screener. It is also your sourcing tool's ranked list, your scheduling optimizer, your comp-banding model, and your retention-risk dashboard. "Used to make, guide, or assist" is the language that does the work.

Consequential decision pulls in your whole funnel

A "consequential decision" includes employment, and SB 26-189 explicitly lists "hiring, termination, promotion, compensation, and scheduling." Your req-to-offer pipeline is in scope end to end, not just the offer decision.

The Colorado Privacy Act workforce carve-out is gone

This is the single biggest shift TA leaders are not internalizing. The Colorado Privacy Act largely exempts employee and applicant data (apart from its biometric provisions). SB 26-189 deliberately closes that hole. "Consumer" expressly includes employees and Colorado resident job applicants. Every "we don't worry about CPA for candidates" memo from your privacy team needs a footnote.

Applicant rights that you have to operationalize

When a Colorado applicant or employee experiences an adverse outcome from a consequential decision a covered ADMT "materially influences," the deployer must provide:

• Instructions for requesting personal data and correcting factually incorrect or materially inaccurate personal data the ADMT used.
• An opportunity for meaningful human review and reconsideration when commercially reasonable.

Plus pre-use notice, and a three-year minimum retention of compliance documentation. That retention system needs to exist before January 1, 2027.

The bias audits are not wasted. They become the evidentiary foundation for the antidiscrimination liability SB 26-189 explicitly preserved.

The human-in-the-loop trap

AI Policy Desk's read of the statute is that "a system where a human makes the final decision with full information and can override the AI recommendation may not qualify as ADMT." That sounds like a clean exit. It is not.

If your recruiter opens a ranked shortlist from a vendor, clicks through the top 10, and rejects the rest without reading them, you have a rubber stamp. AG rulemaking is going to live inside the phrase "materially influences," and a rubber stamp is exactly what plaintiffs' counsel will argue does not break the chain.

The defensible version is a sourcing workflow where the human can see why a candidate surfaced, can re-rank on different criteria, and can pull in candidates the model did not surface at all. That is part of why we built Refolk: you describe who you want in plain English, you see the reasoning, and you can ask follow-up questions that reshape the list instead of accepting it. A reviewer who can interrogate the ranking is closer to the "full information and can override" standard than a reviewer who cannot.

Enforcement: slower than the calendar suggests

SB 26-189 does not create a private right of action. The Colorado AG enforces violations as deceptive trade practices under the Colorado Consumer Protection Act, and must issue a notice of violation with a 60-day opportunity to cure before any enforcement action.

AG Weiser has also stated he does not intend to enforce SB 24-205 or any legislation replacing or amending it, including SB 26-189, until after rulemaking concludes. In practical terms, the Colorado AI Act is on hold with no firm enforcement date past January 1, 2027.

Do not read that as a green light. Read it as time to do the boring work right.

Re-paper your vendor contracts

This is the line in SB 26-189 your procurement team needs to see: contract terms that indemnify a developer or deployer against liability for its own antidiscrimination violations involving covered ADMT are void as against public policy.

If you signed standard MSAs with HireVue, Eightfold, Paradox, or any other ADMT vendor in 2024 or 2025, the indemnification language is almost certainly written for a world where the deployer could push antidiscrimination liability back upstream. Half of it may now be unenforceable in Colorado. Re-paper before January 1, 2027, and while you are in there, get the data-access, audit, and explanation rights you will need to honor applicant correction requests.

This also matters when you evaluate new tooling. If a sourcing or screening vendor cannot tell you, in a way you could put in front of a candidate, why a given person was surfaced or scored, you cannot honor the SB 26-189 rights regime through them. Tools that expose their reasoning (again, the lane Refolk is built in) are easier to defend than black-box rankers.

What to keep building

Six concrete workstreams stay on the roadmap.

1. ADMT inventory. Map every tool in your TA, comp, and workforce-management stack that produces a prediction, recommendation, classification, ranking, or score about a person. Resume screeners, sourcing tools, scheduling optimizers, comp models, retention models, internal mobility matchers. You cannot scope consumer rights without this.
2. Pre-use notice copy. Drafts that tell Colorado applicants and employees when ADMT is in the loop, what it does, and how to request human review. Wire into your careers site, ATS application flow, and internal HRIS notices.
3. Adverse action and human-review workflow. A real intake for applicant requests to access data, correct inaccurate data, and request reconsideration. Service levels, owner, audit trail.
4. Three-year retention. A documentation system that holds vendor disclosures, your own ADMT inventory, decisions on materiality, training records, and human-review logs for three years minimum. Stand this up well before January 1, 2027 because operational changes to implement consumer rights may take several months to execute.
5. Bias-audit evidence, repurposed. The audits do not disappear, they get redirected. SB 26-189 preserved antidiscrimination liability, NYC Local Law 144 still requires audits, Illinois AIVI still applies. The Q1 work becomes your defense file.
6. A vendor reckoning. Re-paper indemnification, demand explanation interfaces, and replace tools that cannot show their work.

3 years

The political signal

Colorado was the proof of concept for state-led AI regulation. Its retreat changes that assumption. Expect bills in California, Connecticut, and Texas to lose momentum or narrow toward the ADMT-and-rights model, and expect more federal preemption pressure through 2027. Plan for a federal fight, not a 50-state patchwork.

But on the specific question of what your Colorado-resident applicants and employees can ask you for, on January 1, 2027, the answer is: more than the headlines suggest. Build accordingly.

FAQ

Is the Colorado AI Act dead?

No. SB 24-205 was repealed, but SB 26-189 replaced it with a narrower automated-decision-making regime that takes effect January 1, 2027. Colorado still has the most far-reaching legislatively enacted private-sector AI law of any state. The risk-program and impact-assessment obligations are gone. Pre-use notice, an adverse-action process with human review, and three-year record retention remain. Enforcement is paused pending AG rulemaking, but the statutory deadline still anchors your timeline.

Do bias audits still matter under SB 26-189?

Yes, just not for the same reason. SB 26-189 removed the freestanding duty of reasonable care, but it explicitly preserved antidiscrimination liability under existing state and federal law. Audits become evidence in those cases. They also remain mandatory under NYC Local Law 144 and relevant under Illinois AIVI. If you already paid for the work in Q1 2026, redirect it into your discrimination-defense file rather than scrapping it.

Does SB 26-189 cover employees and not just consumers?

Yes, and this is the biggest shift most TA teams have not internalized. The Colorado Privacy Act has historically carved out employee and applicant data outside of biometrics. SB 26-189 deliberately closes that gap. The statutory definition of "consumer" expressly includes employees and Colorado resident job applicants, and consequential decisions include hiring, termination, promotion, compensation, and scheduling. Your workforce data is in scope.

What should I do about my existing ADMT vendor contracts?

Re-paper them before January 1, 2027. SB 26-189 voids indemnification clauses that shift a deployer's own antidiscrimination liability to a vendor, so a lot of standard 2024 and 2025 MSA language is unenforceable in Colorado. While you are in the contract, secure the data access, explanation rights, and audit cooperation you will need to honor applicant correction requests and human-review obligations. Vendors that cannot expose their reasoning will be hard to defend through.