Two Years of Regulatory Whiplash: What Colorado AI Compliance Actually Looks Like Now

Two years ago, Colorado passed the country's first comprehensive AI anti-discrimination law. Eighteen months ago, companies across the state were spending real money to comply with it. Today, that law has been repealed, replaced by a different law that doesn't take effect until January, and Congress introduced a bill last week that could preempt that one before it ever kicks in.

If you've been trying to build a stable AI compliance program in Colorado, you've been doing it in quicksand. That's not a failure of planning. It's a failure of the regulatory environment to give you anything solid to plan around.

With this in mind, here is my honest read on where things stand, what I think happens next, and what Colorado businesses should actually be doing right now.

How Colorado's AI Law Got Repealed and Replaced

SB 24-205 was genuinely ambitious. It imposed affirmative obligations on developers and deployers of "high-risk AI systems," required impact assessments, mandated risk management programs, and created a duty of care to prevent algorithmic discrimination in consequential decisions touching employment, housing, credit, education, and healthcare. For about eighteen months, companies in those sectors spent real money to comply. Cybersecurity and AI governance firms built SB 205-specific product lines. Insurance companies commissioned AI system inventories. The Colorado AG began rulemaking. The compliance infrastructure was taking shape.

None of it mattered. The law never took effect.

What killed it was a coordinated federal intervention that moved faster than most people anticipated. In December 2025, President Trump signed an executive order targeting SB 205 by name as "excessive state regulation" and stood up a DOJ AI Litigation Task Force with an explicit mandate to challenge state AI laws. Elon Musk's xAI filed a constitutional challenge in the U.S. District Court for Colorado in April 2026. The Department of Justice intervened four days later — it was the first time DOJ had ever joined a lawsuit challenging a state AI law. A federal magistrate judge stayed enforcement on April 27. With the June 30 effective date approaching and the legal foundation gone, the Colorado legislature acted. SB 26-189 passed 57-6 in the House and 34-1 in the Senate. Governor Polis signed it May 14. SB 205 was repealed.

I want to flag something about the constitutional arguments xAI and DOJ advanced, because they'll recur. The core First Amendment claim is that requiring an AI model to produce less biased outputs constitutes compelled speech: that forcing a developer to engineer different outputs is forcing the developer to say different things. The Equal Protection argument ran in both directions. Neither was adjudicated on the merits. The legislative repeal mooted the case before a court could rule. Both theories are now established templates for challenging any state AI law that imposes substantive obligations on how models produce outputs. That question will eventually reach the Supreme Court. I'll come back to it.

For companies that built SB 205 compliance programs, how much of that work transfers depends entirely on how you built it. Programs built around NIST as the organizing framework, with modular governance infrastructure, are largely portable. Programs built tightly to SB 205's specific provisions (duty-of-care language, AG disclosure forms, impact assessment templates calibrated to the law's definitions) have limited carryover value in the SB 189 world. That's a hard truth, and I say it not to criticize anyone who built the latter. The law looked like it was going to take effect.

What Colorado SB 26-189 Requires of Businesses

The framing of SB 189 as "watered-down" misreads what the law does. The two laws have different scope and different compliance structures, and some businesses that assumed they were out of SB 205's reach are squarely in SB 189's.

The new law covers "automated decision-making technology" used to make or materially contribute to "consequential decisions" involving employment, education, financial services, healthcare, housing, and essential government services. The prior law's "high-risk AI system" framing was risk-calibrated by technical architecture. SB 189's "ADMT used in consequential decisions" framing is use-calibrated. An HR technology tool that fell below SB 205's threshold because of how the model was structured may qualify as ADMT under SB 189 if it influences hiring or termination decisions. That shift matters, and it catches some businesses off guard.

The compliance obligations are fundamentally different in kind. Developers must provide deployers with technical documentation describing intended uses, known inappropriate uses, categories of training data, and instructions for monitoring. Deployers must provide pre-decision notice that ADMT will be used, allow individuals to appeal adverse decisions, and disclose what personal data was used. Both parties retain records for at least three years. The AG has exclusive enforcement authority. A 60-day cure window applies through January 1, 2030. There's no private right of action.

Here is the practical problem: the AG hasn't completed the rulemaking required before the January 1, 2027 effective date. Key terms are still undefined. Companies planning compliance programs today are doing so against an incomplete regulatory text — the same problem that plagued early SB 205 planning. The lesson from that experience is to build modular, NIST-anchored governance infrastructure rather than programs calibrated to specific rule language that may shift in rulemaking. Seven months is enough time to build it right if you start now.

The Federal AI Picture: The Great American AI Act and Executive Action

Against this background, here is where the federal picture sits. Three things are moving simultaneously and they don't align neatly. Understanding the gaps between them matters more than tracking any one of them in isolation.

The executive branch has been running an active campaign to deter state AI regulation since December 2025. I want to be clear about what the December order can and can't do. Its constitutional authority to actually preempt state law is genuinely contested. Federal preemption by executive decree, without clear congressional authorization, is not established constitutional doctrine. Courts are generally more reluctant to find state laws preempted by executive orders than by statutes. The order's real effect has been the DOJ task force, not direct legal preemption. The xAI intervention was the task force's first major action. It won't be its last.

On June 2, the White House issued a second executive order, "Promoting Advanced Artificial Intelligence Innovation and Security," focused on cybersecurity. It establishes an AI Cybersecurity Clearinghouse with Treasury, NSA, and CISA, and creates a voluntary framework for frontier developers to share pre-release model access with the government in exchange for early partnership status. It expressly states that nothing in the order creates mandatory licensing or permitting requirements for AI model development. Read alongside the December order, the administration's posture is consistent: deregulatory at the model development layer, willing to use DOJ as a tool against state laws it dislikes, but not yet imposing federal licensing.

Last week, Reps. Obernolte and Trahan released the "Great American AI Act," a 269-page bipartisan discussion draft. This is the first serious legislative vehicle to implement the White House framework's preemption call. The three-year preemption provision would apply to state laws "specifically regulating the development" of AI models. It covers model-development regulation. It does not, as written, cover use and deployment regulation. Colorado's SB 189, which regulates how ADMT is deployed in consequential decisions, would likely survive this preemption provision as written. California's AB 2013 (training data transparency) and part of SB 942 (content watermarking) are specifically named as targets.

The bill's substantive requirements for large frontier developers (over $500M revenue) are real: mandatory safety frameworks, critical incident reporting, semi-annual third-party audits, codification of NIST's Center for AI Standards and Innovation, $100M annually from 2027 to 2029, whistleblower protections, increased AI-fraud penalties. Those provisions have bipartisan support and are likely to survive in some form.

Congressional opposition to the preemption piece is substantial. Democrats introduced the GUARDRAILS Act to block it. Thirty-six state attorneys general have signed a formal letter against it. Congress already rejected preemption provisions in both the One Big Beautiful Bill Act and the National Defense Authorization Act this session. The consistent pattern: broad preemption of state AI law is easy to propose and hard to pass.

What States Are Doing in the Meantime

States are not waiting. Two developments from the last two weeks are worth watching closely.

Illinois SB 315 passed the House 110-0 on May 27. Governor Pritzker has said he'll sign it. It targets frontier AI developers with over $500M in revenue and requires annual independent third-party safety audits (the first mandate of its kind in any U.S. AI law), published risk frameworks, 72-hour incident reporting, whistleblower protections, and proportional fees to fund administration. Civil penalties reach $3M per violation.

What I find significant is the substantive overlap with the Obernolte-Trahan bill. Both require frontier developers above $500M to publish safety frameworks, report critical incidents, and submit to audits. If the federal bill passes with those provisions intact, a company building for Illinois compliance should be in reasonable shape for federal compliance as well. The gap is that the federal bill allows compliance through voluntary frameworks; Illinois mandates the audit regardless. That gap may narrow in negotiation, or Illinois may become the de facto national standard for safety auditing the way California's emissions rules became the national baseline for automakers.

California's 2026 AI laws — SB 53, AB 2013, and SB 942, effective since January — are the other relevant development. AB 2013 and part of SB 942 are specifically in the Obernolte-Trahan preemption crosshairs. California has signaled it will litigate. Whatever that litigation produces will shape the constitutional doctrine on model-development preemption for years.

The Constitutional Question That Will Define This Field

The deepest uncertainty in AI regulation right now is a constitutional question that won't resolve until a case reaches the Supreme Court, and it won't be answered by tracking which specific law is in effect or when Congress might act.

The question: can a state require changes to what an AI model outputs in consequential decisions, or does that regulation compel expression in a way the First Amendment prohibits? The xAI litigation raised it and then watched it disappear when Colorado repealed SB 205 before the court could rule on the merits. The theory didn't go away. It's now an established challenge template, and the next state law that imposes substantive obligations on AI outputs will face it.

My read: the First Amendment argument is more aggressive than the Equal Protection argument, and I'm skeptical it ultimately prevails in its broadest form. Courts have generally not treated outputs of commercial systems as protected speech at the developer level in the way the theory requires. But I wouldn't dismiss it either. The DOJ signed onto it. A federal magistrate accepted it as a basis for a stay. And the administration's underlying theory has a policy logic to it even if it rests on contested legal premises.

What this means practically: any state law that requires changes to AI model outputs, rather than disclosure, notice, and appeals rights, is in the crosshairs. SB 189, which is largely a disclosure and notice regime, is more durable under this theory than SB 205 was. That's part of why the legislature pivoted to it. Illinois SB 315, which mandates how developers build and audit their systems, is closer to the compelled-speech theory than SB 189 is. If it survives long enough for a court to rule on a constitutional challenge, we'll get a merits ruling that will reshape the field.

The NIST Baseline

Separate from the legal turbulence, there's a quieter development worth noting. The NIST AI Risk Management Framework is becoming the de facto compliance baseline for enterprise AI, regardless of what any specific law requires. The FTC, CFPB, FDA, SEC, and EEOC all reference NIST AI RMF principles in their enforcement guidance. The Treasury Department released a Financial Services AI RMF in February 2026 with 230 specific control objectives. The Obernolte-Trahan bill would codify and fund NIST's Center for AI Standards and Innovation. Federal contractors face growing NIST AI RMF expectations in procurement.

Simply put, companies building AI governance programs around NIST are building something portable. When specific laws change or get preempted, the NIST-anchored governance architecture adapts. The compliance programs tightly wired to SB 205's specific rule language didn't.

The EU AI Act deadline of August 2, 2026 reinforces this. Any company with EU market exposure faces binding high-risk AI system obligations in employment, credit scoring, education, and healthcare in fewer than 60 days. The infrastructure required for EU AI Act compliance maps directly onto what SB 189 and the Obernolte-Trahan bill require. Global companies are better positioned than domestic-only companies right now, precisely because they were forced to build serious governance programs for international compliance.

To that end, the compliance investment that survives regulatory whiplash is the investment in governance architecture, not in specific rule compliance. Build the NIST-anchored system. Adapt the specific procedures to whatever law is in effect. That's the durable approach.

Where Colorado AI Regulation Is Heading

I'll be direct. These are judgments drawn from the evidence available today. I'll update them as the picture changes.

For Colorado businesses: the six months between now and January 1, 2027 are the window to build. SB 189's rulemaking will be complete before then. Build your compliance program against the completed rules, anchor it to NIST, and don't assume the federal picture resolves favorably before the effective date. It probably won't.

The patchwork doesn't resolve cleanly in the near term. In my judgment, the most likely equilibrium is a federal floor for model safety combined with a preserved state layer for deployment-level consumer protection. That equilibrium is probably three to five years away and will require at least one more round of state laws, one more wave of constitutional challenges, and whatever Congress eventually produces. Anyone telling you the picture is settling down isn't paying attention.

What This Means for Your Program

If you're a Colorado business that has been building AI compliance infrastructure, the honest summary is this: what you built for SB 205 may need restructuring, but it isn't wasted if the underlying framework was solid. The question is whether your compliance architecture is anchored to principles, specifically the NIST framework, or anchored to SB 205's specific rule language. The former adapts. The latter may need to be rebuilt.

I'd welcome a conversation about where your current program stands and what it would take to make it durable against the next round of changes. The analysis here is meant to frame the situation honestly. The practical answer is specific to your systems, your sector, and your exposure. That conversation is worth having before January.