Colorado rewrote its AI law, and your vendor contracts are the part that changed
Colorado replaced its 2024 AI Act with SB 26-189, dropping impact assessments but voiding indemnity clauses and ending federal exemptions software companies relied on.
On May 14, Colorado’s governor signed SB 26-189, which repeals and replaces the 2024 Colorado AI Act before that law ever took effect. The new statute takes effect January 1, 2027. If you build or buy software that scores, ranks, or recommends decisions about people, this is the version you now have to plan around.
The headline is that the law got narrower. The old framework regulated any “high-risk artificial intelligence system” and imposed a duty of reasonable care to prevent algorithmic discrimination, backed by mandatory risk management programs and impact assessments. SB 26-189 throws out all three of those. In their place is a regime focused on “automated decision-making technology” that materially influences a “consequential decision,” meaning access to or eligibility for things like employment, housing, lending, insurance, healthcare, and government benefits. Most teams will read the deleted impact-assessment requirement and exhale. That is the wrong place to spend your attention.
Two changes quietly raise your exposure. First, the new law eliminates the conditional exemptions the original gave to some federally regulated entities. If you sold into banks or insurers and assumed their federal regulator put you out of Colorado’s reach, that assumption is gone. Plenty of vendors who were comfortably outside the 2024 version are inside this one. Second, and this is the part I would flag to any software company immediately, the law voids any contract clause that purports to indemnify a party for its own ADMT-related discriminatory acts in a consequential decision. Indemnification is how risk actually moves between a developer and a deployer in practice. A whole category of language sitting in your master agreements just became unenforceable for this specific exposure.
The operational reading splits by where you sit. If you are the developer, the model maker or the SaaS provider, you owe deployers technical documentation by 2027: intended uses, categories of training data, known limitations, and instructions for human review. That is a real deliverable, and the deployers buying from you will start asking for it during diligence well before the effective date. If you are the deployer, the one actually making the call about a person, you owe consumers clear notice at the point of interaction, a plain-language explanation within 30 days of an adverse outcome, and a path to access data, correct inaccurate data, and request meaningful human review. None of that works as a bolt-on. It has to be designed into the product flow.
This quarter, pull your standard AI vendor agreement and find the indemnification and limitation-of-liability sections. Mark which clauses were doing the work of allocating discrimination risk, because for Colorado consequential decisions those clauses no longer hold, and your real protection now lives in the technical documentation, the human-review path, and your own diligence on the model, not in a paragraph your counterparty signed.