Insights and Analysis

Mile‑High machine learning: New policy framework would significantly alter Colorado AI Act

23 March 2026

A new proposal from a group convened by Colorado's Governor to repeal and replace the Colorado AI Act flips the focus of Colorado's AI framework from regulating how high-risk AI systems are designed, deployed, and monitored to considerations regarding consumer-facing rights and transparency obligations. If adopted, the framework would significantly reduce prescriptive compliance obligations for both AI developers and deployers, narrow the scope of regulated systems, and recalibrate liability exposure – while leaving open questions about how existing discrimination and consumer protection laws will be enforced in practice. The timing and substance of the proposal indicates that it may be designed, at least in part, to mitigate the risk of federal preemption risk and preserve Colorado's eligibility for federal broadband funding under recent executive action.

Background

On March 17, 2026, nearly two years after the enactment of the Colorado Artificial Intelligence (AI) Act (CAIA), the Colorado AI Policy Work Group, which was convened by Colorado Governor Polis, made public its proposal to repeal and replace the CAIA.

The CAIA, loosely modeled on the EU AI Act, takes a risk-based approach to AI regulation and focuses on “high-risk AI systems,” which are AI systems that make or play a substantial part in making decisions about consumers related to education, employment, financing or lending, essential government services, healthcare services, housing, insurance, or legal services. It requires developers and deployers of such systems to use reasonable care to avoid algorithmic discrimination in high-risk AI systems and disclose specified information to stakeholders. Deployers also have obligations to conduct impact assessments, implement risk management plans, and provide consumers with a mechanism to appeal adverse decisions. A duty of care (with a rebuttable presumption) anchors compliance. Although it was originally slated to take effect on February 1, 2026, the Colorado legislature delayed enactment to June 2026.

The CAIA has faced challenges both before and after enactment. Prior to its enactment, several industry groups urged the Governor to veto the bill due concerns around the potential for the bill to hamper innovation and put small businesses at a disadvantage against large corporations. And in June 2024 Governor Polis, Attorney General Weiser, and State Senator Rodriguez (an architect of the original bill) outlined the changes they’d like to see made to the law, informed by industry feedback. In October 2025, Governor Polis convened an “AI Policy Workgroup” described as a “diverse membership including groups representing consumers, hospitals, school districts, and other users of technology, and large and small technology companies” tasked with developing an updated policy framework for the legislature’s consideration.

The timing of the Work Group’s proposal aligns with a number of happenings at the state and federal level.

First, Colorado’s legislative session is only around half-way through; it is scheduled to run through May 13, 2026, giving Colorado legislators nearly two months to review and suggest revisions to the proposal.
Additionally, this proposal may have been timed to coincide deadline for the Department of Commerce report required by President Trump’s Executive Order Ensuring a National Policy Framework for Artificial Intelligence (EO). Under the EO, Commerce is tasked with issuing a Policy Notice specifying Broadband Equity Access and Deployment (BEAD) Program funding conditions; states with “onerous” AI laws may be ineligible for non-deployment funds. An updated CAIA could support a position that Colorado should not be subject to funding restrictions, in the event it is included on the list. Also under the EO, the Federal Trade Commission (FTC) is required to issue guidance on the application of the FTC Act’s prohibition on unfair and deceptive practices to AI models, and the circumstances under which state laws that require AI systems to alter truthful outputs are preempted under the FTC Act’s prohibition on unfair or deceptive acts. A framework that moves away from preemptive output monitoring may be an attempt to avoid federal preemption.
The timing of this proposal (perhaps coincidentally) also aligns with the publication on March 20, 2026, of President Trump’s National AI Legislative Framework, which calls for the establishment of a federal AI policy framework to “protect American rights, support innovation, and prevent a fragmented patchwork of state regulations that would hinder our national competitiveness, while respecting federalism and State rights.” The framework calls on Congress to “preempt state AI laws that impose undue burdens to ensure a minimally burdensome national standard consistent with these recommendations.”

A new framework proposal

A scope change

The Work Group's proposal narrows the types of systems that would be in scope for the law, in a potentially helpful move for companies.

Rather than regulating “high-risk AI systems,” as the CAIA currently does, the proposal seeks to govern “Covered ADMTs” (Automated Decision-Making Technology), which are ADMTs used to “materially influence” a consequential decision. “Materially influences” means the ADMT output: (a) is a “non-de minimis factor” that is used in making a consequential decision; and (b) affects the outcome of the decision, including by constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made.

In a similar move likely designed to give companies more flexibility, the proposal also scopes out a broader list of activities from the definition of “consequential decision,” including “advertising, marketing, differentiated product recommendations, search, or content moderation” and activities relating to technologies used for cybersecurity, fraud prevention (including “identity verification; customer identification, monitoring, and reporting controls required under state or federal law; anti-money laundering and counter-terrorist financing controls; and economic sanctions compliance” and excluding facial recognition systems for verification purposes), spam filtering, or system reliability.

A structural shift: From risk‑based governance to transparency

This proposal pivots away from a law that looks more like European AI regulation (with risk tiers, lifecycle governance, audits, and reporting obligations), and more towards a framework rooted in notice and transparency.

Developers: From Duty to Documentation.
- Current Law:The CAIA imposes a duty of care on developers of high-risk AI systems to prevent algorithmic discrimination.
- Proposal: This proposal would replace the duty of care with obligations to provide deployers with documentation for ADMT systems that are “marketed, advertised, configured, contracted for, sold or licensed to be used to materially influence a consequential decision” and where the ADMT system is developed with the intention of such use, the developer could reasonably foresee such use, or the developer becomes aware of such use.
  - Such documentation must describe: the intended uses and known harmful or inappropriate uses; the categories of data used to train the system, to the extent known; known limitations of the system, including known risks and circumstances in which the system should not be used; instructions for the deployer's appropriate use, monitoring, and meaningful human review, where applicable; and information reasonably necessary for the deployer to comply with its obligation to provide consumer notices. Deployers must provide notice to deployers of “material” updates when applicable and must retain records of their documentation for at least three years.
- This would move the law in seemingly opposite direction from a new federal bill proposed by U.S. Senator Marsha Blackburn in December 2025, which would place a duty of care on AI developers in the design, development, and operation of AI platforms to “prevent and mitigate foreseeable harm to users.”
Deployers: From Risk Management to Records Retention. Most of the explicit responsibilities for deployers under the CAIA are removed under this proposal. However, deployers still must provide certain notices to consumers, including after “adverse outcomes.”
- Current Law: The CAIA currently requires deployers of high-risk AI systems to implement a risk management policy and program, complete annual impact assessments, conduct annual audits for deployed systems, provide information to consumers about their use of such systems, inform consumers of their rights under the Colorado Privacy Act, make public disclosures regarding their use of high-risk AI systems and potential discrimination risks, and alert the Colorado Attorney General in the event they discover algorithmic discrimination within 90 days (with some exemptions for small businesses).
- Proposal: Most of these obligations do not appear in the proposal. Instead, deployers must retain for at least three years records reasonably necessary to demonstrate compliance with their obligations. Deployers would also be required to provide consumers with a “point-of-interaction” notice disclosing their use of a covered ADMT system and notify consumers within 30 days of an “adverse outcome”, including information on how to request meaningful human review or reconsideration, “if available.”

Liability, enforcement, and rulemaking

Like the CAIA, the proposal bars private rights of action. And while the CAIA allows, but does not require, the Attorney General to promulgate Rules under the CAIA, the proposal would require the Attorney General to adopt certain Rules, although limited to address only post-adverse disclosure requirements for deployers.

Finally, while the CAIA is silent on liability structures, the proposal would bar the creation of joint and several liability, except to the extent permitted under existing law, in favor of an arrangement where the allocation of fault among deployers and developers is based on their relative fault for the violation of existing law.

Practical implications for companies

While the proposal would narrow the scope of prescriptive AI governance in Colorado, it does not eliminate exposure under existing discrimination, consumer protection, or privacy regimes—nor does it reduce the importance of careful contracting and cross‑jurisdictional compliance planning.

Assessment requirements may still be inherent or required under other frameworks. While many explicit obligations like pre-deployment assessment and audit requirements do not appear in the Colorado AI Policy Work Group’s proposal, companies should keep in mind that they would still have obligations to avoid discriminatory practices, necessitating some form of assessment of the technologies they use and monitoring of the types of decisions they make. And even if many of the obligations on developers and deployers are ultimately removed, companies may still be subject to automated decision-making rules under the California Consumer Privacy Act regulations.
Implications for contracts. And while developers and deployers may be reassessing how they structure their compliance programs, they may also want to review the liability provisions of their vendor or customer agreements; section 6-1-1706.5(7) makes clear that contractual provisions that seek to reduce or transfer liability from a party as the result of its own discriminatory acts are void as against public policy.
Still a ways to go. Finally, this proposal, while presented with unanimous support of the Colorado AI Policy Work Group, still has a ways to go before becoming law. Some Colorado legislators have offered mixed reactions to the proposal, and it has not yet been taken up for formal consideration.

Authored by Mark Brennan, James Denvil, and Sophie Baum.