July 19, 2026

9 min read

What Colorado's New AI Act Actually Requires Before January 2027

Why State AI Law Suddenly Matters to Companies That Aren't "AI Companies"

If your business uses AI to screen resumes, score leads, approve claims, price a loan, or triage a support ticket, you're now a "deployer" under a growing set of state laws, whether you built that AI in-house or bought it from a vendor with a slick dashboard. That's the part most founders miss. These laws don't target OpenAI or Anthropic. They target the company that decided to plug a model into a hiring workflow or an underwriting process and never asked what obligations came with it.

Colorado just repealed and replaced its AI Act. Texas's TRAIGA and California's SB 53 take effect January 1, 2026. Illinois and New York City already regulate AI in employment decisions specifically. And in December 2025, the White House issued an executive order trying to wipe most of this out at the federal level. None of it is settled. If you run operations at a $5M-$50M company and you're deploying AI in anything that touches a person's job, housing, health, or money, "wait and see" is not a strategy, it's a bet that the patchwork resolves in your favor before an regulator or plaintiff's attorney notices it hasn't.

What Does the Colorado AI Act Actually Require?

Colorado's original AI Act, SB24-205 (the CAIA), is gone. Lawmakers repealed it in 2026 and replaced it with SB26-189, the Automated Decision-Making Technology Act (ADMTA), which takes effect January 1, 2027, according to Skadden's analysis of the repeal and replacement. The original bill text is still public at leg.colorado.gov if you want to see what changed.

ADMTA covers any technology that processes personal data to make predictions, recommendations, or scores that materially influence a "consequential decision," a term we'll come back to because it's broader than most people assume. The law splits obligations two ways. Developers, the companies that build the AI system, have to give deployers documentation: what the system is intended to do, its known limitations, and what categories of data trained it. Deployers, meaning you if you're using the tool to make decisions about customers, employees, or applicants, have to notify people when an automated system influenced a consequential decision about them and give them a path to human review.

The Colorado Attorney General still has to write the implementing rules under the Colorado Consumer Protection Act before the law takes effect, per the AG's own rulemaking page. That rulemaking process is where the real detail will land: what counts as "reasonable care," what documentation is sufficient, how enforcement will actually work. Companies that wait for the final rules before doing anything will have very little runway once they're published.

How Texas, California, and Illinois Compare

Colorado isn't an outlier, it's the most-searched example of a pattern showing up across a dozen states. Texas's TRAIGA and California's SB 53 both take effect January 1, 2026, well ahead of Colorado's 2027 date, which means if you operate in multiple states you're already facing overlapping compliance windows, not a single deadline. Illinois amended its Human Rights Act to cover AI in employment decisions, and New York City's Local Law 144 already requires bias audits for automated employment decision tools, making hiring the single most heavily regulated use case for companies in the $5M-$50M range, because screening or ranking candidates with AI is exactly the kind of consequential decision every one of these laws is written to catch.

Search interest backs this up. "California ai law" runs around 590 searches a month, but spiked to roughly 2,400 in October 2025, almost certainly tied to SB 53 activity moving through the legislature. That's not developer curiosity, that's compliance teams and general counsel trying to figure out what just changed under them.

The details differ state to state (thresholds for who counts as a "developer" versus a "small deployer," what disclosures are required, whether there's a private right of action), but the shape is consistent everywhere: if AI materially influences a decision about a person's employment, housing, credit, insurance, or healthcare, someone in your organization now owns a documentation and notice obligation that didn't exist three years ago. Orrick maintains a live 50-state AI law tracker if you need the full list for your specific footprint, and the National Conference of State Legislatures publishes a running summary of 2025 state AI legislation that's worth bookmarking rather than trying to memorize.

Will Federal Preemption Make This Go Away?

Maybe eventually, but not on a timeline you can plan around, and not in a way that erases what's already effective. On December 11, 2025, the White House issued an executive order, "Ensuring a National Policy Framework for Artificial Intelligence," explicitly targeting what it calls the "patchwork" of state AI laws for federal preemption. It's real, it's newsworthy, and it changes the political conversation. It is also, as of this writing, an unresolved fight between the executive branch, Congress, and state legislatures, not a settled law that overrides Colorado's or Texas's statutes today.

Brookings has a useful comparison of how differently states are approaching this problem, from California's sector-specific rules to Colorado's broad consequential-decision framework, in their piece on divergent state strategies. That divergence is exactly why a single federal order is unlikely to cleanly wipe the board. Preemption fights over consumer protection law tend to take years and end up narrower than the initial announcement suggests. Treating the executive order as a reason to pause your compliance work is the same mistake as treating a pending appeal as a reason to ignore a court judgment. You comply with what's in effect, and you build systems flexible enough to adjust if the ground genuinely shifts.

What Counts as a "Consequential Decision" and Why It's Broader Than You Think

Most operators hear "consequential decision" and think of it as a lending or healthcare problem for banks and hospitals. It isn't. Under Colorado's ADMTA and similar frameworks, a consequential decision is one that has a material legal or similarly significant effect on a person's access to employment, education, housing, healthcare, insurance, or lending. That list covers a lot of ordinary mid-market operations:

  • An AI tool that screens or ranks resumes before a human recruiter sees them

  • A model that scores lead quality in a way that determines who gets a callback for a loan or insurance quote

  • A claims-triage agent that flags or fast-tracks certain claims for approval

  • An intake system that routes patients or clients to different levels of service based on a predicted risk score

  • A tenant-screening tool used by a property manager to approve or deny applicants

  • If any of that sounds like a workflow your operations or HR team already runs, you're in scope, regardless of company size. This is exactly where AI agents in financial services compliance and AI agents in HR operations intersect with these laws most directly, because lending, insurance, and hiring are the three use cases named, explicitly or by clear analogy, in nearly every state bill on the books.

    A Pre-Deployment Compliance Checklist for Any AI Agent or Vendor Tool

    Every law-firm alert we read explains the statute well and stops short of telling you what to actually do before Monday. Here's the checklist we walk clients through before any AI system touches a hiring, lending, insurance, or healthcare decision, built from actual deployments, not from reading the bill text cold.

    1. Get the vendor's documentation in writing before you sign, not after. Ask specifically for intended use, known limitations, and training data categories. If a vendor can't produce this, that's your answer about how seriously they take deployer obligations.

    2. Map every workflow where AI output touches a person's employment, housing, health, credit, or insurance outcome. Most companies can't answer this cleanly on the first try. It usually takes a real audit, not a Slack poll.

    3. Build a human-review path before you need one. A documented, staffed process for a person to challenge or appeal an AI-influenced decision isn't optional under Colorado's law or NYC's Local Law 144. Retrofitting it after a complaint is far more expensive than designing it in.

    4. Write the consumer notice now, even if your state's effective date is a year out. Notices are cheap to draft and expensive to improvise under a regulator's deadline.

    5. Log everything. Version of the model, date of decision, inputs considered, and whether a human reviewed it. Audit trails are the difference between a five-minute regulatory response and a six-week scramble through log files that don't exist.

    6. Reassess every time you swap a model or vendor. Documentation obligations attach to the specific system in use, not a one-time checkbox.

    None of this requires exotic tooling. It requires someone owning the mapping exercise and treating it as seriously as a security audit, because functionally, that's what it is.

    Why Off-the-Shelf AI Tools Create Hidden Compliance Exposure

    The uncomfortable part of this checklist is item one. Most SaaS AI tools, the ones sold with a monthly subscription and a dashboard, were not built with deployer documentation obligations in mind, and plenty of vendors will not have clean answers about training data provenance or model versioning history. You inherit that gap the moment you deploy their tool against a consequential decision, and "the vendor didn't tell me" is not a defense under most of these statutes; the deployer obligation sits with you regardless of who built the model.

    This is the practical argument for owning more of your AI stack rather than renting all of it, particularly for regulated or data-sensitive workflows: when you know exactly what data trained the system, where it runs, and how decisions are logged, you can answer a regulator's question in an afternoon instead of a month. It's also the argument for treating self-hosted, zero-retention deployments as a compliance feature, not just a security one, something we cover in more depth in our guide to LLM security for enterprise deployments. The internal controls this all points back to, model versioning, audit logs, human-in-the-loop review, are the same governance structure covered in our framework for enterprise AI agent governance, and the financial exposure of getting it wrong is exactly what underwriters are now pricing into AI liability insurance policies.

    If you're working through this decision, this is exactly what our Discovery phase maps out before any build starts, diagnosing where AI touches consequential decisions in your operation and what that means for vendor contracts and internal controls, and we're happy to compare notes.

    Frequently asked questions

    When does the Colorado AI Act (ADMTA) actually take effect?

    January 1, 2027. Colorado's original AI Act, SB24-205, was repealed in 2026 and replaced with SB26-189, the Automated Decision-Making Technology Act. The Colorado Attorney General still has to finalize implementing rules under the Colorado Consumer Protection Act before that date, so more specific requirements will keep emerging through 2026.

    Does the Colorado AI Act or similar state laws apply to AI used in hiring decisions?

    Yes. Employment is explicitly named as a consequential decision under Colorado's ADMTA, and it's the most common trigger for these laws generally. Illinois and New York City (Local Law 144) already regulate AI in hiring specifically, including bias-audit requirements for automated candidate screening or ranking tools.

    Will federal law preempt state AI regulations like Colorado's or California's?

    Not automatically, and not soon. The December 2025 executive order directs federal action against the state law "patchwork," but preemption fights of this kind typically take years to resolve and rarely erase state consumer-protection statutes entirely. Treat currently effective state laws as binding until a court or Congress says otherwise.

    How many US states currently have AI laws that apply to businesses?

    The number keeps changing, which is why static trackers are more useful than any single figure quoted here. Orrick's 50-state tracker and NCSL's legislative summary are the two most reliable running counts, and both show double-digit states with enacted or pending AI-specific statutes as of late 2025.

    What counts as a "consequential decision" under state AI laws?

    Broadly, any AI-influenced decision with a material effect on someone's access to employment, housing, healthcare, education, insurance, or lending. That covers resume screening, lead or applicant scoring, claims triage, tenant screening, and loan or insurance pricing, not just headline cases like medical diagnosis or bank underwriting.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

July 19, 2026

9 min read

What Colorado's New AI Act Actually Requires Before January 2027

Why State AI Law Suddenly Matters to Companies That Aren't "AI Companies"

If your business uses AI to screen resumes, score leads, approve claims, price a loan, or triage a support ticket, you're now a "deployer" under a growing set of state laws, whether you built that AI in-house or bought it from a vendor with a slick dashboard. That's the part most founders miss. These laws don't target OpenAI or Anthropic. They target the company that decided to plug a model into a hiring workflow or an underwriting process and never asked what obligations came with it.

Colorado just repealed and replaced its AI Act. Texas's TRAIGA and California's SB 53 take effect January 1, 2026. Illinois and New York City already regulate AI in employment decisions specifically. And in December 2025, the White House issued an executive order trying to wipe most of this out at the federal level. None of it is settled. If you run operations at a $5M-$50M company and you're deploying AI in anything that touches a person's job, housing, health, or money, "wait and see" is not a strategy, it's a bet that the patchwork resolves in your favor before an regulator or plaintiff's attorney notices it hasn't.

What Does the Colorado AI Act Actually Require?

Colorado's original AI Act, SB24-205 (the CAIA), is gone. Lawmakers repealed it in 2026 and replaced it with SB26-189, the Automated Decision-Making Technology Act (ADMTA), which takes effect January 1, 2027, according to Skadden's analysis of the repeal and replacement. The original bill text is still public at leg.colorado.gov if you want to see what changed.

ADMTA covers any technology that processes personal data to make predictions, recommendations, or scores that materially influence a "consequential decision," a term we'll come back to because it's broader than most people assume. The law splits obligations two ways. Developers, the companies that build the AI system, have to give deployers documentation: what the system is intended to do, its known limitations, and what categories of data trained it. Deployers, meaning you if you're using the tool to make decisions about customers, employees, or applicants, have to notify people when an automated system influenced a consequential decision about them and give them a path to human review.

The Colorado Attorney General still has to write the implementing rules under the Colorado Consumer Protection Act before the law takes effect, per the AG's own rulemaking page. That rulemaking process is where the real detail will land: what counts as "reasonable care," what documentation is sufficient, how enforcement will actually work. Companies that wait for the final rules before doing anything will have very little runway once they're published.

How Texas, California, and Illinois Compare

Colorado isn't an outlier, it's the most-searched example of a pattern showing up across a dozen states. Texas's TRAIGA and California's SB 53 both take effect January 1, 2026, well ahead of Colorado's 2027 date, which means if you operate in multiple states you're already facing overlapping compliance windows, not a single deadline. Illinois amended its Human Rights Act to cover AI in employment decisions, and New York City's Local Law 144 already requires bias audits for automated employment decision tools, making hiring the single most heavily regulated use case for companies in the $5M-$50M range, because screening or ranking candidates with AI is exactly the kind of consequential decision every one of these laws is written to catch.

Search interest backs this up. "California ai law" runs around 590 searches a month, but spiked to roughly 2,400 in October 2025, almost certainly tied to SB 53 activity moving through the legislature. That's not developer curiosity, that's compliance teams and general counsel trying to figure out what just changed under them.

The details differ state to state (thresholds for who counts as a "developer" versus a "small deployer," what disclosures are required, whether there's a private right of action), but the shape is consistent everywhere: if AI materially influences a decision about a person's employment, housing, credit, insurance, or healthcare, someone in your organization now owns a documentation and notice obligation that didn't exist three years ago. Orrick maintains a live 50-state AI law tracker if you need the full list for your specific footprint, and the National Conference of State Legislatures publishes a running summary of 2025 state AI legislation that's worth bookmarking rather than trying to memorize.

Will Federal Preemption Make This Go Away?

Maybe eventually, but not on a timeline you can plan around, and not in a way that erases what's already effective. On December 11, 2025, the White House issued an executive order, "Ensuring a National Policy Framework for Artificial Intelligence," explicitly targeting what it calls the "patchwork" of state AI laws for federal preemption. It's real, it's newsworthy, and it changes the political conversation. It is also, as of this writing, an unresolved fight between the executive branch, Congress, and state legislatures, not a settled law that overrides Colorado's or Texas's statutes today.

Brookings has a useful comparison of how differently states are approaching this problem, from California's sector-specific rules to Colorado's broad consequential-decision framework, in their piece on divergent state strategies. That divergence is exactly why a single federal order is unlikely to cleanly wipe the board. Preemption fights over consumer protection law tend to take years and end up narrower than the initial announcement suggests. Treating the executive order as a reason to pause your compliance work is the same mistake as treating a pending appeal as a reason to ignore a court judgment. You comply with what's in effect, and you build systems flexible enough to adjust if the ground genuinely shifts.

What Counts as a "Consequential Decision" and Why It's Broader Than You Think

Most operators hear "consequential decision" and think of it as a lending or healthcare problem for banks and hospitals. It isn't. Under Colorado's ADMTA and similar frameworks, a consequential decision is one that has a material legal or similarly significant effect on a person's access to employment, education, housing, healthcare, insurance, or lending. That list covers a lot of ordinary mid-market operations:

  • An AI tool that screens or ranks resumes before a human recruiter sees them

  • A model that scores lead quality in a way that determines who gets a callback for a loan or insurance quote

  • A claims-triage agent that flags or fast-tracks certain claims for approval

  • An intake system that routes patients or clients to different levels of service based on a predicted risk score

  • A tenant-screening tool used by a property manager to approve or deny applicants

  • If any of that sounds like a workflow your operations or HR team already runs, you're in scope, regardless of company size. This is exactly where AI agents in financial services compliance and AI agents in HR operations intersect with these laws most directly, because lending, insurance, and hiring are the three use cases named, explicitly or by clear analogy, in nearly every state bill on the books.

    A Pre-Deployment Compliance Checklist for Any AI Agent or Vendor Tool

    Every law-firm alert we read explains the statute well and stops short of telling you what to actually do before Monday. Here's the checklist we walk clients through before any AI system touches a hiring, lending, insurance, or healthcare decision, built from actual deployments, not from reading the bill text cold.

    1. Get the vendor's documentation in writing before you sign, not after. Ask specifically for intended use, known limitations, and training data categories. If a vendor can't produce this, that's your answer about how seriously they take deployer obligations.

    2. Map every workflow where AI output touches a person's employment, housing, health, credit, or insurance outcome. Most companies can't answer this cleanly on the first try. It usually takes a real audit, not a Slack poll.

    3. Build a human-review path before you need one. A documented, staffed process for a person to challenge or appeal an AI-influenced decision isn't optional under Colorado's law or NYC's Local Law 144. Retrofitting it after a complaint is far more expensive than designing it in.

    4. Write the consumer notice now, even if your state's effective date is a year out. Notices are cheap to draft and expensive to improvise under a regulator's deadline.

    5. Log everything. Version of the model, date of decision, inputs considered, and whether a human reviewed it. Audit trails are the difference between a five-minute regulatory response and a six-week scramble through log files that don't exist.

    6. Reassess every time you swap a model or vendor. Documentation obligations attach to the specific system in use, not a one-time checkbox.

    None of this requires exotic tooling. It requires someone owning the mapping exercise and treating it as seriously as a security audit, because functionally, that's what it is.

    Why Off-the-Shelf AI Tools Create Hidden Compliance Exposure

    The uncomfortable part of this checklist is item one. Most SaaS AI tools, the ones sold with a monthly subscription and a dashboard, were not built with deployer documentation obligations in mind, and plenty of vendors will not have clean answers about training data provenance or model versioning history. You inherit that gap the moment you deploy their tool against a consequential decision, and "the vendor didn't tell me" is not a defense under most of these statutes; the deployer obligation sits with you regardless of who built the model.

    This is the practical argument for owning more of your AI stack rather than renting all of it, particularly for regulated or data-sensitive workflows: when you know exactly what data trained the system, where it runs, and how decisions are logged, you can answer a regulator's question in an afternoon instead of a month. It's also the argument for treating self-hosted, zero-retention deployments as a compliance feature, not just a security one, something we cover in more depth in our guide to LLM security for enterprise deployments. The internal controls this all points back to, model versioning, audit logs, human-in-the-loop review, are the same governance structure covered in our framework for enterprise AI agent governance, and the financial exposure of getting it wrong is exactly what underwriters are now pricing into AI liability insurance policies.

    If you're working through this decision, this is exactly what our Discovery phase maps out before any build starts, diagnosing where AI touches consequential decisions in your operation and what that means for vendor contracts and internal controls, and we're happy to compare notes.

    Frequently asked questions

    When does the Colorado AI Act (ADMTA) actually take effect?

    January 1, 2027. Colorado's original AI Act, SB24-205, was repealed in 2026 and replaced with SB26-189, the Automated Decision-Making Technology Act. The Colorado Attorney General still has to finalize implementing rules under the Colorado Consumer Protection Act before that date, so more specific requirements will keep emerging through 2026.

    Does the Colorado AI Act or similar state laws apply to AI used in hiring decisions?

    Yes. Employment is explicitly named as a consequential decision under Colorado's ADMTA, and it's the most common trigger for these laws generally. Illinois and New York City (Local Law 144) already regulate AI in hiring specifically, including bias-audit requirements for automated candidate screening or ranking tools.

    Will federal law preempt state AI regulations like Colorado's or California's?

    Not automatically, and not soon. The December 2025 executive order directs federal action against the state law "patchwork," but preemption fights of this kind typically take years to resolve and rarely erase state consumer-protection statutes entirely. Treat currently effective state laws as binding until a court or Congress says otherwise.

    How many US states currently have AI laws that apply to businesses?

    The number keeps changing, which is why static trackers are more useful than any single figure quoted here. Orrick's 50-state tracker and NCSL's legislative summary are the two most reliable running counts, and both show double-digit states with enacted or pending AI-specific statutes as of late 2025.

    What counts as a "consequential decision" under state AI laws?

    Broadly, any AI-influenced decision with a material effect on someone's access to employment, housing, healthcare, education, insurance, or lending. That covers resume screening, lead or applicant scoring, claims triage, tenant screening, and loan or insurance pricing, not just headline cases like medical diagnosis or bank underwriting.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

July 19, 2026

9 min read

What Colorado's New AI Act Actually Requires Before January 2027

Why State AI Law Suddenly Matters to Companies That Aren't "AI Companies"

If your business uses AI to screen resumes, score leads, approve claims, price a loan, or triage a support ticket, you're now a "deployer" under a growing set of state laws, whether you built that AI in-house or bought it from a vendor with a slick dashboard. That's the part most founders miss. These laws don't target OpenAI or Anthropic. They target the company that decided to plug a model into a hiring workflow or an underwriting process and never asked what obligations came with it.

Colorado just repealed and replaced its AI Act. Texas's TRAIGA and California's SB 53 take effect January 1, 2026. Illinois and New York City already regulate AI in employment decisions specifically. And in December 2025, the White House issued an executive order trying to wipe most of this out at the federal level. None of it is settled. If you run operations at a $5M-$50M company and you're deploying AI in anything that touches a person's job, housing, health, or money, "wait and see" is not a strategy, it's a bet that the patchwork resolves in your favor before an regulator or plaintiff's attorney notices it hasn't.

What Does the Colorado AI Act Actually Require?

Colorado's original AI Act, SB24-205 (the CAIA), is gone. Lawmakers repealed it in 2026 and replaced it with SB26-189, the Automated Decision-Making Technology Act (ADMTA), which takes effect January 1, 2027, according to Skadden's analysis of the repeal and replacement. The original bill text is still public at leg.colorado.gov if you want to see what changed.

ADMTA covers any technology that processes personal data to make predictions, recommendations, or scores that materially influence a "consequential decision," a term we'll come back to because it's broader than most people assume. The law splits obligations two ways. Developers, the companies that build the AI system, have to give deployers documentation: what the system is intended to do, its known limitations, and what categories of data trained it. Deployers, meaning you if you're using the tool to make decisions about customers, employees, or applicants, have to notify people when an automated system influenced a consequential decision about them and give them a path to human review.

The Colorado Attorney General still has to write the implementing rules under the Colorado Consumer Protection Act before the law takes effect, per the AG's own rulemaking page. That rulemaking process is where the real detail will land: what counts as "reasonable care," what documentation is sufficient, how enforcement will actually work. Companies that wait for the final rules before doing anything will have very little runway once they're published.

How Texas, California, and Illinois Compare

Colorado isn't an outlier, it's the most-searched example of a pattern showing up across a dozen states. Texas's TRAIGA and California's SB 53 both take effect January 1, 2026, well ahead of Colorado's 2027 date, which means if you operate in multiple states you're already facing overlapping compliance windows, not a single deadline. Illinois amended its Human Rights Act to cover AI in employment decisions, and New York City's Local Law 144 already requires bias audits for automated employment decision tools, making hiring the single most heavily regulated use case for companies in the $5M-$50M range, because screening or ranking candidates with AI is exactly the kind of consequential decision every one of these laws is written to catch.

Search interest backs this up. "California ai law" runs around 590 searches a month, but spiked to roughly 2,400 in October 2025, almost certainly tied to SB 53 activity moving through the legislature. That's not developer curiosity, that's compliance teams and general counsel trying to figure out what just changed under them.

The details differ state to state (thresholds for who counts as a "developer" versus a "small deployer," what disclosures are required, whether there's a private right of action), but the shape is consistent everywhere: if AI materially influences a decision about a person's employment, housing, credit, insurance, or healthcare, someone in your organization now owns a documentation and notice obligation that didn't exist three years ago. Orrick maintains a live 50-state AI law tracker if you need the full list for your specific footprint, and the National Conference of State Legislatures publishes a running summary of 2025 state AI legislation that's worth bookmarking rather than trying to memorize.

Will Federal Preemption Make This Go Away?

Maybe eventually, but not on a timeline you can plan around, and not in a way that erases what's already effective. On December 11, 2025, the White House issued an executive order, "Ensuring a National Policy Framework for Artificial Intelligence," explicitly targeting what it calls the "patchwork" of state AI laws for federal preemption. It's real, it's newsworthy, and it changes the political conversation. It is also, as of this writing, an unresolved fight between the executive branch, Congress, and state legislatures, not a settled law that overrides Colorado's or Texas's statutes today.

Brookings has a useful comparison of how differently states are approaching this problem, from California's sector-specific rules to Colorado's broad consequential-decision framework, in their piece on divergent state strategies. That divergence is exactly why a single federal order is unlikely to cleanly wipe the board. Preemption fights over consumer protection law tend to take years and end up narrower than the initial announcement suggests. Treating the executive order as a reason to pause your compliance work is the same mistake as treating a pending appeal as a reason to ignore a court judgment. You comply with what's in effect, and you build systems flexible enough to adjust if the ground genuinely shifts.

What Counts as a "Consequential Decision" and Why It's Broader Than You Think

Most operators hear "consequential decision" and think of it as a lending or healthcare problem for banks and hospitals. It isn't. Under Colorado's ADMTA and similar frameworks, a consequential decision is one that has a material legal or similarly significant effect on a person's access to employment, education, housing, healthcare, insurance, or lending. That list covers a lot of ordinary mid-market operations:

  • An AI tool that screens or ranks resumes before a human recruiter sees them

  • A model that scores lead quality in a way that determines who gets a callback for a loan or insurance quote

  • A claims-triage agent that flags or fast-tracks certain claims for approval

  • An intake system that routes patients or clients to different levels of service based on a predicted risk score

  • A tenant-screening tool used by a property manager to approve or deny applicants

  • If any of that sounds like a workflow your operations or HR team already runs, you're in scope, regardless of company size. This is exactly where AI agents in financial services compliance and AI agents in HR operations intersect with these laws most directly, because lending, insurance, and hiring are the three use cases named, explicitly or by clear analogy, in nearly every state bill on the books.

    A Pre-Deployment Compliance Checklist for Any AI Agent or Vendor Tool

    Every law-firm alert we read explains the statute well and stops short of telling you what to actually do before Monday. Here's the checklist we walk clients through before any AI system touches a hiring, lending, insurance, or healthcare decision, built from actual deployments, not from reading the bill text cold.

    1. Get the vendor's documentation in writing before you sign, not after. Ask specifically for intended use, known limitations, and training data categories. If a vendor can't produce this, that's your answer about how seriously they take deployer obligations.

    2. Map every workflow where AI output touches a person's employment, housing, health, credit, or insurance outcome. Most companies can't answer this cleanly on the first try. It usually takes a real audit, not a Slack poll.

    3. Build a human-review path before you need one. A documented, staffed process for a person to challenge or appeal an AI-influenced decision isn't optional under Colorado's law or NYC's Local Law 144. Retrofitting it after a complaint is far more expensive than designing it in.

    4. Write the consumer notice now, even if your state's effective date is a year out. Notices are cheap to draft and expensive to improvise under a regulator's deadline.

    5. Log everything. Version of the model, date of decision, inputs considered, and whether a human reviewed it. Audit trails are the difference between a five-minute regulatory response and a six-week scramble through log files that don't exist.

    6. Reassess every time you swap a model or vendor. Documentation obligations attach to the specific system in use, not a one-time checkbox.

    None of this requires exotic tooling. It requires someone owning the mapping exercise and treating it as seriously as a security audit, because functionally, that's what it is.

    Why Off-the-Shelf AI Tools Create Hidden Compliance Exposure

    The uncomfortable part of this checklist is item one. Most SaaS AI tools, the ones sold with a monthly subscription and a dashboard, were not built with deployer documentation obligations in mind, and plenty of vendors will not have clean answers about training data provenance or model versioning history. You inherit that gap the moment you deploy their tool against a consequential decision, and "the vendor didn't tell me" is not a defense under most of these statutes; the deployer obligation sits with you regardless of who built the model.

    This is the practical argument for owning more of your AI stack rather than renting all of it, particularly for regulated or data-sensitive workflows: when you know exactly what data trained the system, where it runs, and how decisions are logged, you can answer a regulator's question in an afternoon instead of a month. It's also the argument for treating self-hosted, zero-retention deployments as a compliance feature, not just a security one, something we cover in more depth in our guide to LLM security for enterprise deployments. The internal controls this all points back to, model versioning, audit logs, human-in-the-loop review, are the same governance structure covered in our framework for enterprise AI agent governance, and the financial exposure of getting it wrong is exactly what underwriters are now pricing into AI liability insurance policies.

    If you're working through this decision, this is exactly what our Discovery phase maps out before any build starts, diagnosing where AI touches consequential decisions in your operation and what that means for vendor contracts and internal controls, and we're happy to compare notes.

    Frequently asked questions

    When does the Colorado AI Act (ADMTA) actually take effect?

    January 1, 2027. Colorado's original AI Act, SB24-205, was repealed in 2026 and replaced with SB26-189, the Automated Decision-Making Technology Act. The Colorado Attorney General still has to finalize implementing rules under the Colorado Consumer Protection Act before that date, so more specific requirements will keep emerging through 2026.

    Does the Colorado AI Act or similar state laws apply to AI used in hiring decisions?

    Yes. Employment is explicitly named as a consequential decision under Colorado's ADMTA, and it's the most common trigger for these laws generally. Illinois and New York City (Local Law 144) already regulate AI in hiring specifically, including bias-audit requirements for automated candidate screening or ranking tools.

    Will federal law preempt state AI regulations like Colorado's or California's?

    Not automatically, and not soon. The December 2025 executive order directs federal action against the state law "patchwork," but preemption fights of this kind typically take years to resolve and rarely erase state consumer-protection statutes entirely. Treat currently effective state laws as binding until a court or Congress says otherwise.

    How many US states currently have AI laws that apply to businesses?

    The number keeps changing, which is why static trackers are more useful than any single figure quoted here. Orrick's 50-state tracker and NCSL's legislative summary are the two most reliable running counts, and both show double-digit states with enacted or pending AI-specific statutes as of late 2025.

    What counts as a "consequential decision" under state AI laws?

    Broadly, any AI-influenced decision with a material effect on someone's access to employment, housing, healthcare, education, insurance, or lending. That covers resume screening, lead or applicant scoring, claims triage, tenant screening, and loan or insurance pricing, not just headline cases like medical diagnosis or bank underwriting.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.

Tell us where the manual work hurts

We’ll tell you straight whether AI can fix it, what it costs, and what it should return. Whatever we build, you own.