Colorado is adjusting its AI governance approach with an updated draft for its AI Laws. Even though the original bill was signed into law in 2024, I was skeptical whether it would be enforceable on its intended deadline of June 30^th, 2026. Tech companies were seeing the law as impractical and burdensome, and, surely enough, a lawsuit was filed against the law earlier this year. Resultantly, the bill is being repealed, while Colorado’s AG filed a motion to pause the lawsuit.

Colorado’s Governor Jared Polis’ workgroup has come up with a new draft for the bill, which might have the required momentum to see things through. Let’s talk about this new draft, how it is different from the old one, and what businesses are now looking at.

Rewriting AI Regulation in Colorado

The opposition to the original law deemed it vague, impractical, and restrictive. There was a need for a more balanced approach and the new draft by Polis’ workgroup might bring that. Let’s see the changes made in the replacement bill which needs to pass before May 13^th (before Colorado’s legislature closes).

Risk Regulation to Transparency

The problem: The original law expected developers and deployers to carry out risk assessments for their AI systems, especially for discrimination. It also wanted the algorithm issues to be made known to users and the AG office.

The replacement: The new draft, instead of demanding oversight, mandates that the companies tell the users when AI is being used in consequential decisions and also explain AI’s role in unfavourable outcomes.

‘Vagueness’ to Narrower scope

The problem: The original law’s coverage of “high-risk AI systems” was too broad and vague, making it difficult to determine applicability.

The replacement: The new draft focuses on automated decision-making in consequential decisions (e.g., hiring, lending). This reduces ambiguity and targets high-impact use cases only.

Strict Liability to Structured framework

The problem: The original framework imposed broad responsibility on developers and deployers, with limited clarity on how liability is shared.
The replacement: The draft introduces clearer allocation of responsibility based on design, configuration, and use, and limits shifting liability via contracts. This directly impacts vendor relationships and indemnities.

Gearing Up for The Updated Draft

Though the new framework looks plausible, the already delayed bill is most likely to come into effect only around the later part of this year. Still, businesses should consider the preparations they will have to make to align with the replacement workgroup draft.

• Map and classify AI use cases: Start by identifying where AI is used across the organization, especially in “consequential decisions” like hiring, lending, pricing, or access to services. Businesses should document how decisions are made, where automation is involved, and what role AI plays in final outcomes.
• Build decision transparency and communication layers: The new framework emphasizes user-facing transparency, so companies need to prepare systems that clearly notify users when AI is involved. This includes designing plain-language explanations for adverse outcomes and ensuring these explanations are consistent and defensible. Businesses should think about how decisions are communicated today and where AI explanations can be integrated seamlessly.
• Enable correction and human review workflows: Organizations must be ready to handle challenges to AI-driven decisions. This means building processes that allow individuals to correct inaccurate data and request meaningful human review.
• Reassess vendor relationships and liability structures: For companies relying on third-party AI tools, the new framework has direct contractual implications. Businesses should review vendor agreements to clarify who is responsible for what, especially around system design, configuration, and use.

A More Realistic Path Forward

Colorado’s recalibration signifies the need for balance in a workable AI regulation. The combination of legal challenge and industry pushback exposed a gap between policy intent and practical enforcement. The new draft attempts to close that gap by shifting from heavy, proactive oversight to a model grounded in transparency and defined scope. For businesses, the direction of travel hasn’t changed while AI is still being regulated. What has changed that they now need to focus on operational readiness, transparency, and decision-level accountability.