As Colorado prepares to implement a landmark new framework governing artificial intelligence beginning January 1, 2027, the state is once again at the center of the national debate over AI regulation. The revised legislation replaces Colorado’s earlier, more stringent AI law with a streamlined approach focused on transparency, disclosure, and oversight of automated decision-making technologies in high-impact areas such as employment, healthcare, housing, education, and financial services. The new framework reflects years of policy discussions, industry feedback, legal challenges, and growing concerns about balancing innovation with consumer protection.
To better understand the implications of these changes, we speak with Cat Casey, a recognized legal technology expert and AI governance specialist. Casey offers insight into why Colorado’s AI legislation has undergone such a lengthy evolution, the key provisions organizations should be paying attention to, and what this regulatory shift signals for the future of AI governance across the United States. As businesses, policymakers, and technology developers prepare for the 2027 rollout, Casey shares her perspective on how the law may shape industry practices, compliance strategies, and the broader conversation around responsible AI deployment.
Why has Colorado’s AI legislation taken nearly three years to reach this point?
Colorado’s AI legislation took three years because it was set up for trouble from day one. Governor Polis signed SB 205 in May 2024 with reservations and urged fixes before implementation. The equivalent of sending it back to the legislature with the equivalent of a sticky note saying “Please fix.”
At its core, the original bill tried to do to much and pulled off a hat trick of fail instead. Under the bill, a wide array of companies touching AI, from employment to housing or insurance, were subject to one-size-fits-few requirements. Proportionality was forgotten, definitions left companies confused about how to even comply, and liability extended as far as the eye could see.
Lawmakers, regulators, and stakeholders tried unsuccessfully to apply amendment band-aids to the bill for over two years. Until a trifecta of an XAI suit, DOJ involvement and a judicial freeze made them decide a full rewrite would be easier.
In just six weeks a new bill was drafted, signed and is set to take effect at the first of the year. Hopefully the Governor and the legislature learned from the missteps of the prior bill and this one survives.
How does Colorado’s approach differ from other state-level AI regulations currently under consideration?
Going first is hard as Colorado learned from the failure of its broader more EU AI Act aligned first bill. The state bulled back from being the broadest EU style risk framework nationally to on the lighter end of the spectrum. The rewrite put Colorado among the more restrained state AI regulations currently on the books. This is the opposite direction most new state level AI policy is going. While some may argue this is a bad thing, the narrower approach may allow the bill to finally reach enforcement something the broader approach never managed in three years before getting sued into oblivion.
Who will feel the effects of this legislation most immediately?
The new bill replaces the broad “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrow focus on “automated decision-making technology.” Specifically, organizations that use automated decision-making to materially influence consequential decisions.
This change meaningfully shifts enforcement from regulating types of organizations broadly to assessing them based on how their AI is being used and what decisions it is driving. The question is no longer whether you are a company that uses AI. Rather, do you use AI to determine who gets hired, housed, insured, educated, approved, or denied.
If the answer is yes, you are in scope once the freeze on enforcement is lifted. That said, heavily regulated industries got real carve-outs here. HIPAA-covered entities, FDA-regulated pharma, and state-regulated insurers already living under sector-specific requirements are largely exempt. If your industry already has a regulator watching how you make these decisions, Colorado is not piling on.
Could this become a model for other states and effectively set a de facto national standard?
Whether the bill is a model for other states or nationally depends on what they want to accomplish. The bill is narrower and far less ambitious than other states are trending. If states are optimizing for maximum consumer protection, the bill lacks the teeth. But if the objective is to enact a bill that will make it to enforcement in an increasingly hostile federal preemption environment, the bill may be appealing. It may be less about being the best and more about being the most likely to survive.
What would nationwide adoption of similar rules mean for AI companies?
The most interesting shift in a nationwide adoption of this type of framework is that most large AI companies could no longer treat downstream implementation as the deployer’s problem. Their compliance burden would shift from merely “Did we build the model responsibly?” to “How are customers, middleware providers, integration partners, and end users turning this capability into automated decision-making technology?”
For the foundational model players, national adoption of this framework would force much closer scrutiny of how their models are wrapped, embedded, configured, and used downstream. For smaller players the cost of complying with documentation and contractual obligations on developers could quickly compound.
How does the legislation define “high-risk” AI systems?
The new bill replaces the concept of high-risk systems completely with the concept of “Automated Decision-Making Technology.” The rewrite fully removes the EU-style risk tiering in favor of a focus on automation that “materially influences” a category of things called consequential decisions. Those consequential decisions cover seven specific domains: employment, housing, lending, insurance, healthcare, education, and essential government services. If your AI is not touching one of those seven things, you are outside the scope of the law entirely.
How does this effort fit into the broader debate over federal versus state AI regulation?
The rewrite is a direct response to the current administration at the federal level identifying the prior bill as excessive state regulation. After watching the prior bill get frozen in federal court, rather than continuing to battle state versus federal supremacy, this represents a third path. The new bill is exhibit A in what AI law at the state level looks like when optimized for surviving federal scrutiny.