Colorado's AI law is no longer just a statute on a compliance calendar. It is now moving on three tracks at once.
The state has enacted a revised automated decision-making law. It has enacted a separate chatbot safety law. And the Colorado Attorney General has opened pre-rulemaking for both, with informal public input due July 13, 2026.
At the same time, xAI is challenging Colorado's AI framework in federal court, and the U.S. Department of Justice has intervened against the state law. That means Colorado is becoming the first major test of what happens when state AI governance, federal constitutional objections, and practical compliance rulemaking all collide before the operative date.
For companies, the practical point is simple: the January 1, 2027 compliance date still matters, but the rules that will define the day-to-day obligations are being shaped now.
What Colorado Is Rulemaking
The Colorado Attorney General's office is seeking input on rules under two laws:
- Senate Bill 26-189, the Automated Decision-Making Technology Act.
- House Bill 26-1263, the Chatbot Safety Act.
SB26-189 repeals and reenacts Colorado's earlier AI framework with new requirements for automated decision-making technology used to materially influence consequential decisions. The statute defines automated decision-making technology, or ADMT, as technology that processes personal data and uses computation to generate outputs such as predictions, recommendations, classifications, rankings, scores, or other information used to make, guide, or assist a decision about an individual.
The covered decision domains include education, employment, housing, financial or lending services, insurance, health-care services, and essential government services and public benefits.
Starting January 1, 2027, developers of covered ADMT must provide deployers with technical documentation about intended uses, training-data categories, known limitations, and instructions for appropriate use and human review. Developers and deployers must also retain records needed to demonstrate compliance for at least three years.
Deployers will have consumer-facing obligations too. They must provide notice at the point of interaction with covered ADMT. If a covered ADMT materially influences a consequential decision that results in an adverse outcome, the deployer must provide a plain-language post-adverse-outcome explanation within 30 days. Consumers also receive rights to request personal data, correct factually incorrect personal data used by the covered ADMT, and request meaningful human review and reconsideration.
The Attorney General must adopt rules by January 1, 2027 to clarify post-adverse-outcome disclosures and meaningful human review. The statute also gives the Attorney General broader discretionary rulemaking authority, including the ability to clarify "materially influence."
That phrase is likely to become one of the central compliance questions. The pre-rulemaking paper specifically asks for objective indicators that could distinguish material influence from de minimis or otherwise non-material use.
The Chatbot Law Is Broader Than Disclosure
HB26-1263 addresses publicly available conversational AI services that simulate human conversation through text, visual, or audio communications.
Beginning January 1, 2027, operators must disclose that users are interacting with AI. They must use commercially reasonable or generally accepted methods to estimate user age. If an operator knows that a user or account holder is a minor, the law imposes additional duties, including restrictions on engagement incentives, safeguards against sexually explicit content and simulated emotional dependence, suicide and self-harm response protocols, privacy and account-setting tools, and annual reporting to the Attorney General.
The law also prohibits operators from representing chatbot outputs as equivalent to services provided by specified licensed or certified professionals.
The Chatbot Safety Act does not itself require rulemaking in the same way the ADMT Act does. But the Attorney General says rulemaking would help clarify compliance obligations, including the annual reporting requirement and any additional metrics necessary to assess safeguards and response protocols.
That makes the rulemaking important for more than high-risk decision systems. Any company operating a public-facing conversational AI service with Colorado users should be watching the chatbot questions too.
The Attorney General's Five Principles
The pre-rulemaking paper says the Department of Law will use five principles:
- Promote consumer rights.
- Clarify ambiguities.
- Facilitate efficient and expeditious compliance.
- Harmonize with other state, national, and international frameworks.
- Allow for innovation.
That list matters because Colorado is trying to solve two problems at once. It wants enforceable consumer protections, but it also knows vague rules can make implementation harder and litigation more likely.
The most important open questions include:
- When does an ADMT "materially influence" a consequential decision?
- What tools qualify as ADMT, and what tools merely summarize, organize, or present information?
- How should the rules distinguish developers, deployers, and other participants in an AI supply chain?
- What should post-adverse-outcome disclosures include in different sectors?
- What does meaningful human review require in practice?
- What metrics should chatbot operators report to the Attorney General?
- How should Colorado's rules interoperate with other state, federal, and international AI, privacy, discrimination, and consumer-protection frameworks?
Those are not abstract questions. They will determine whether the Colorado framework becomes a manageable compliance regime or a source of recurring uncertainty.
The Litigation Shadow
The rulemaking is happening while Colorado's AI law is under active federal challenge.
xAI sued Colorado Attorney General Phil Weiser in April 2026, challenging the state's algorithmic-discrimination framework. DOJ later moved to intervene, arguing that the Colorado law violates the Equal Protection Clause by requiring AI companies to prevent unintentional disparate impact based on protected characteristics while exempting some discrimination designed to advance diversity or redress historic discrimination.
The DOJ intervention is significant even apart from the merits. It shows federal willingness to participate directly in litigation over state AI laws, especially where the federal government views state requirements as conflicting with national AI policy, constitutional limits, or innovation priorities.
Separately, the docket reflects a procedural stay of Colorado Attorney General enforcement pending the preliminary-injunction sequence. That does not resolve the merits. It also does not make the rulemaking irrelevant. To the contrary, the preliminary-injunction schedule appears tied to final implementing rules, which makes the rulemaking record part of the litigation landscape.
For covered companies, the wrong lesson would be to assume the lawsuit eliminates the need to prepare. The better reading is that the rulemaking record may define the obligations, the compliance burden, and the constitutional stakes.
What Companies Should Do Now
Companies do not need to wait for final regulations to start the useful work.
First, inventory systems that may materially influence decisions about education, employment, housing, lending, insurance, health care, or government benefits. The key question is not whether a system is branded as AI. It is whether computation using personal data produces an output used to make, guide, or assist a decision about an individual.
Second, map the supply chain. Colorado separates developer and deployer obligations, but many commercial arrangements are messier than that. Vendors, customers, integrators, model providers, and internal teams may all contribute to the final decision process.
Third, test existing documentation against Colorado's likely documentation topics: intended uses, training-data categories, known limitations, appropriate use, human review, material updates, and compliance records.
Fourth, design adverse-outcome workflows before the final rule lands. A deployer that cannot explain the role of ADMT in a specific adverse decision will struggle to meet a 30-day disclosure requirement.
Fifth, review chatbot operations for minor-facing risk. Age estimation, recurring AI disclosure, self-harm escalation, emotional-dependence safeguards, privacy tools, and professional-services disclaimers are design and governance issues, not just legal copy.
Finally, consider commenting before July 13. The Attorney General is asking for concrete feedback on ambiguity, unintended consequences, compliance burdens, sector-specific examples, and interoperability. Companies that wait for formal draft rules may miss the best chance to shape the starting point.
Bottom Line
Colorado is becoming the first serious stress test for state AI governance.
The state is trying to turn broad AI statutes into operational rules. The federal government is challenging the legal theory behind parts of the framework. Companies are trying to understand how to build notices, documentation, review rights, and chatbot safeguards before January 2027.
That makes the current pre-rulemaking window unusually important. It is not just a comment period. It is the first draft of what AI compliance may look like when consequential-decision systems and conversational AI services are regulated as consumer-protection infrastructure.
Sources
- Colorado Attorney General AI rulemaking page
- Colorado ADMT and Chatbot Safety pre-rulemaking considerations paper
- Colorado SB26-189 Automated Decision-Making Technology
- Colorado HB26-1263 Conversational Artificial Intelligence Service Operator Requirements
- DOJ announcement of intervention in xAI challenge
- Civil Rights Litigation Clearinghouse docket page for xAI v. Weiser

