What Is the Colorado AI Act (the First U.S. High-Risk AI Law)?
The Colorado AI Act is a state law enacted by Colorado in 2024 to regulate the development and deployment of high-risk AI. Formally titled SB24-205, "Consumer Protections for Artificial Intelligence," it drew wide attention as the first U.S. attempt to set comprehensive, statewide rules. Its aim was to require companies to exercise "reasonable care" so that AI would not produce unfair discrimination in life-altering situations such as hiring and lending.
Key terms in the Colorado AI Act
The "High-Risk AI Systems" Covered by the Law
A high-risk AI system means AI deeply involved in a "consequential decision" with major impact on a person's life. Specifically, this covers situations such as hiring and firing, loan approvals, housing, insurance, healthcare, educational opportunity, and government services. When AI is used as a "substantial factor" in such decisions, that system falls under the regulation. The design treated only uses tied directly to people's rights and opportunities as heavyweight, setting them apart from mere clerical efficiency tools.
Defining the Core Concept of "Algorithmic Discrimination"
The heart of this law is the concept of "algorithmic discrimination." The statute defined it as a condition where the use of AI results in unlawful differential treatment or impact based on protected attributes.
"Algorithmic discrimination" means any condition in which the use of an artificial intelligence system results in an unlawful differential treatment or impact that disfavors an individual or group of individuals on the basis of their actual or perceived age, color, disability, ethnicity, genetic information, limited proficiency in the English language, national origin, race, religion, reproductive health, sex, veteran status, or other classification protected under the laws of this state or federal law. — From the definition of algorithmic discrimination
A wide range of attributes—age, race, sex, disability, religion, and more—are enumerated. The law was rooted in the idea of preventing situations where AI unintentionally disadvantages particular groups.
The Duty of Care Imposed on Developers and Deployers
The law placed obligations on both the "builders" (developers) and the "users" (deployers) of AI. Developers were required to use reasonable care to protect consumers from foreseeable risks of algorithmic discrimination.
On and after February 1, 2026, the act requires a developer of a high-risk artificial intelligence system (high-risk system) to use reasonable care to protect consumers from any known or reasonably foreseeable risks of algorithmic discrimination in the high-risk system. — From the description of the developer's duty of care
Deployers also faced requirements such as maintaining a risk-management policy, conducting an impact assessment (a process to check in advance for harm AI might cause), notifying consumers, and offering an opportunity to appeal to anyone who received an adverse decision. In particular, the mechanism letting a consumer who received an adverse AI decision request human review symbolized the law's consumer protections.
Providing a consumer with an opportunity to appeal, via human review if technically feasible, an adverse consequential decision concerning the consumer arising from the deployment of a high-risk system. — From the deployer's obligation (providing an opportunity to appeal)
Why It Was Repealed Without Ever Taking Effect
Despite the attention it drew as the first such regulation, the Colorado AI Act vanished without ever taking effect. Behind this lay strong pushback from businesses that the obligations were "too heavy," and difficult negotiations to reshape the rules to fit practice. As a result, the effective date moved twice, and in the end the entire law was replaced.
Timeline of the Colorado AI Act
The Effective Date Slipped From February to June 30, 2026
The first turning point was the delay of the effective date. Obligations were originally due to begin on February 1, 2026, but amid repeated concerns from companies and industry groups about preparation time and burden, the state pushed the effective date back to June 30, 2026 via SB25B-004, enacted in August 2025.
The act extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026. — From the official summary on the delay of the effective date
This delay was a "buy time without changing the content" measure, and dissatisfaction with the substance of the obligations remained unresolved. So even after the delay, debate continued over how to rebuild the law.
Just Before Taking Effect, It Was Repealed and Replaced by SB26-189
Then on May 14, 2026, the governor signed the successor law, SB26-189, repealing the Colorado AI Act and replacing it with a new framework. Because the original law disappeared before the delayed effective date (June 30), SB24-205's obligations never actually came into force.
SB 26-189 repealed and replaced the AI Act. — From the description of the repeal and replacement of the Colorado AI Act
The accurate picture as of June 2026 is that "the first U.S. high-risk AI law was replaced by a successor without ever taking effect." It is an episode that shows just how volatile state-level AI regulation in the U.S. has become.
The New Rules Under the Successor Law, SB26-189
After the swap, SB26-189 changed the very approach to regulation. Where the old law centered on "high-risk AI systems" and "algorithmic discrimination," the new law regulates situations where "automated decision-making technology (ADMT)" is used in "consequential decisions." It helps to understand this as a shift in focus from "AI must not produce discrimination" to "transparency and accountability for automated decisions."
How the old and successor laws differ
The Axis Shifts From High-Risk AI to Automated Decision-Making Technology
What the successor law covers is automated decision-making technology that processes personal data and materially influences "consequential decisions." Life-critical situations such as hiring, housing, lending, insurance, healthcare, education, and government services remain in scope. The law drops the "high-risk AI" label and reorganizes the rules to cover automated decision-making mechanisms broadly, in proportion to the weight of the decision.
...covered ADMT that process personal data used to materially influence consequential decisions... — From the description of the technology and decisions covered by the successor law
New Obligations Requiring Notice, Explanation, and Human Review
The new law primarily demands "transparency" from businesses. A deployer must clearly tell consumers that ADMT is used in consequential decisions, explain the reasons in plain language within a set period when an adverse result occurs, and provide an opportunity for human review on request. Developers must provide deployers with technical documentation and notify them of material updates.
Developers must notify deployers of material updates or modifications to the covered ADMT. Both developers and deployers are required to retain records necessary to demonstrate compliance with the act for at least 3 years. — From the official summary of developer and deployer obligations
The Impact Assessment and Risk-Management Duties Dropped From the Old Law
On the other hand, several of the old law's heavier obligations were removed. The duty of care to prevent algorithmic discrimination, annual impact assessments, and maintaining a risk-management program—all burdensome requirements—are not carried over into the successor. The direction of the revision was to ease the "always-on management structure" that drew strong pushback, narrowing the rules to per-decision notice and explanation. This reflects the voices of an industry that called the old law "too strict."
What It Means for Japanese Businesses, and What Comes Next
Given this history, the right response for Japanese businesses also comes into view. Direct preparation for the old law, repealed before taking effect, is no longer needed—but the successor law and broader U.S. regulatory trends remain worth following.
What Japanese businesses should watch now
Direct Regulatory Obligations Have Vanished for Now
The first point to note is that because the Colorado AI Act (SB24-205) was repealed before taking effect, no obligations arise under that old law. Even if you had been preparing impact assessments or risk management under it, that obligation itself has vanished for now. Still, the revision did not "abandon regulation"—it "rebuilt the framework"—so it is not something you can safely ignore.
What to Watch in SB26-189, Effective in 2027
What matters in practice is the successor, SB26-189, set to take effect in January 2027. If you use automated decision mechanisms in "consequential decisions" such as hiring, lending, or insurance involving Colorado residents, you may fall under the new obligations of notice, explanation, and human review. Whether your service reaches Colorado consumers is the dividing line for whether you are covered. The final call on applicability can only be made by checking the statute and rules being developed toward the effective date.
Fragmented U.S. State Law and Its Relationship to the EU AI Act
From a broader view, U.S. AI regulation is fragmented across states and its content changes over short periods. The Colorado episode symbolizes that instability. For many Japanese companies, the EU AI Act—with its clear extraterritorial reach and a settled overall picture—is likely the higher-priority subject for now. Even from the standpoint of using multiple AIs in daily work, it is essential to track regulation by separating "which country's rules, and at what stage." For U.S. state law, checking the latest status each time is the realistic approach.
These overseas laws and primary materials are mostly published in English. When having AI summarize long English statutes or analyses, formatting them into Markdown first preserves the structure of headings and lists and improves summary accuracy. Pasting a web page as-is tends to mix in formatting noise, so cleaning up the source document before handing it over is the shortcut to stable results. For U.S. regulatory trends, see also the state attorneys general investigation into OpenAI and China's AI investment plan.
The Colorado AI Act set off as the first U.S. high-risk AI law, only to be replaced by a successor before it could take effect. For Japanese businesses, calmly following SB26-189, effective in 2027, and the shifting landscape of U.S. state law—rather than preparing for the old law—is the realistic way to be ready.
