Zach Horton, CMMC Certified Professional (CCP) and Compliance Engineer at eCreek IT, specializing in cybersecurity compliance readiness, CMMC, HIPAA, and risk management.

Colorado’s Updated AI Law: What Businesses Need to Know Before January 2027

By Zach Horton

Colorado drafted an AI law back in 2024. And before it even went into effect, the legislature decided to rewrite it. That probably tells you something about how fast this space is actually moving.

I’ve been watching both bills pretty closely, and honestly the update is a good thing. The first version was a decent starting point. The new one is more specific, more practical, and a lot clearer about who’s responsible for what. If your business uses any kind of AI-assisted tool to make decisions about people, whether that’s hiring software, a loan approval platform, anything like that, this is worth a few minutes of your time.

What the Original Law Did

Colorado’s SB 24-205, was one of the first laws in the country to specifically address AI in consumer decisions. The core idea was pretty simple: if AI is influencing big decisions about someone’s life (think job offers, housing, medical care, loans), there need to be some guardrails. Businesses had to notify people when AI was involved, give them a way to push back, and make sure the system wasn’t producing discriminatory outcomes.

Good foundation. But as AI moved faster than anyone expected, it started showing some gaps.

A law written in 2024 needed an update before it even went live. That’s not a knock on the legislature. That’s just how quickly things are changing right now.

What SB 26-189 Actually Changes

The new bill, introduced in May 2026 and pending signature, broadens the scope and tightens the details. Instead of just focusing on “high-risk AI,” it covers any tool that processes personal data to help make decisions about people. They’re calling it “Automated Decision-Making Technology,” which is a clunky name but a pretty accurate description of a lot of software that’s already out there.

The notable updates

  • Employees and job applicants are now explicitly covered, not just general consumers
  • If someone gets an unfavorable decision influenced by one of these tools, they have to be notified within 30 days in plain language
  • People can request that inaccurate data used in a decision about them gets corrected
  • Businesses get a 60-day window to fix a problem before the Attorney General steps in (more workable than the previous version)
  • Clearer lines on who’s on the hook: the company that built the tool, the company using it, or both
  • You can’t use a contract to get out of discrimination liability

There are also some tailored exemptions for insurers under existing state oversight and healthcare entities under federal privacy law. So it’s not a blanket rule for every business everywhere, but it does cast a wider net than before.

If it gets signed and its expected to, this takes effect January 1, 2027. Not a ton of runway if your vendors aren’t already thinking about this stuff.

And Then There’s the Security Side of Things

The compliance piece is one thing. But it’s hard to talk about AI right now without also acknowledging that the risk picture shifted pretty dramatically in a short window. A few numbers that stuck with me when I was putting this together:

44 days

Average time to exploit a known vulnerability in 2025. It was nearly two years in 2020.

30%

Of known security flaws are now being exploited within 24 hours of going public

454,000+

Harmful software packages discovered online in 2025, up from 55,000 in 2022

The thing I keep coming back to is that you don’t need to be a sophisticated attacker anymore. That bar has basically dropped to the floor. Which means the businesses that are paying attention now are in a genuinely better position than the ones that aren’t, and the gap is widening.

That’s not meant to be a scare tactic. It’s just context. AI is a great tool. It’s also a tool that other people can use against you if you’re not being thoughtful about it.

So What Should You Actually Do?

If you’re a Colorado business using AI-powered platforms in any kind of decision-making capacity, now is a good time to ask your vendors some basic questions. How does this tool actually work? What data is it using? Does your documentation support transparency if someone asks for it? Vendors who can’t answer those questions clearly are probably worth a second look before January rolls around.

And if you’re not sure where to start, that’s kind of exactly what I’ll be getting into at the happy hour. Happy to dig into specifics with anyone who wants to talk through their actual setup.

 

 

 

About Zach Horton

Zach is eCreek IT’s resident Compliance expert, bringing a proactive, strategic approach to compliance readiness, cybersecurity risk management, and operational resilience. As a CMMC Certified Professional, Zach helps organizations navigate evolving regulatory requirements, strengthen their security posture, and build scalable compliance programs designed to support long-term growth and contract readiness. In addition to his extensive experience guiding organizations through CMMC preparedness, Zach is also well versed in HIPAA and healthcare security best practices. His real-world guidance has helped clients improve compliance maturity, reduce risk exposure, and secure high-value business opportunities through stronger security and compliance positioning.