From CAIA to ADMT: Colorado's Repealed AI Act, Its SB 26-189 Replacement, and What It Means for Insurers

Executive Summary

• Colorado's first-in-the-nation AI Act (SB 24-205) never took effect and has been repealed and reenacted by SB 26-189 (signed May 14, 2026; substantive duties begin January 1, 2027), which junks the "high-risk AI / reasonable-care / impact-assessment" model for a narrower notice-and-consumer-rights regime for "covered automated decision-making technology (ADMT)."
• For insurers the bottom line is continuity: under both the old and new statutes, a carrier subject to Colorado's insurance-specific algorithmic-discrimination law C.R.S. § 10-3-1104.9 (SB 21-169) and DOI Regulation 10-1-1 (3 CCR 702-10) is deemed in compliance "regarding the practice of insurance" — but the deeming does not cover an insurer's own employment decisions, which remain fully subject to SB 26-189.
• There is no merits case law interpreting SB 24-205; the only litigation, X.AI LLC v. Weiser, No. 1:26-cv-01515 (D. Colo.), produced an April 27, 2026 order staying enforcement, and the federal constitutional challenge remains live as of June 20, 2026.

Key Findings

1. SB 24-205 (the "Colorado AI Act"/"CAIA"). Signed by Gov. Jared Polis on May 17, 2024. In his accompanying letter to the General Assembly, Polis stated he signed the bill "with reservations," urged the sponsors "to significantly improve" the law before it took effect, and expressed hope it would ultimately be replaced "with a needed cohesive federal approach" that would preempt it. CAIA was codified at C.R.S. §§ 6-1-1701–1707 (Title 6, Article 1, Part 17). It imposed duties of "reasonable care" on "developers" (§ 6-1-1702) and "deployers" (§ 6-1-1703) of "high-risk artificial intelligence systems" to avoid "algorithmic discrimination" in "consequential decisions" — including insurance, employment, housing, lending, health care, education, essential government services, and legal services. Consumer disclosure was § 6-1-1704; exemptions/compliance-with-other-law (including the insurance carve-out) was § 6-1-1705; AG exclusive enforcement and the affirmative defense were § 6-1-1706; AG rulemaking was § 6-1-1707.

2. The insurance deeming provision under SB 24-205 (§ 6-1-1705(7)). Verbatim: "An insurer, as defined in section 10-1-102(13), a fraternal benefit society, as described in section 10-14-102, or a developer of an artificial intelligence system used by an insurer is in full compliance with this part 17 if the insurer, the fraternal benefit society, or the developer is subject to the requirements of section 10-3-1104.9 and any rules adopted by the commissioner of insurance pursuant to section 10-3-1104.9."

3. Effective-date history. Original effective date February 1, 2026. Extended to June 30, 2026 by SB 25B-004 ("Increase Transparency for Algorithmic Systems"), passed in the August 2025 first special session and signed by Gov. Polis on August 28, 2025. SB 25B-004 was introduced as a substantive overhaul of CAIA, but as enacted it did one thing only: it pushed the SB 24-205 effective date from February 1, 2026 to June 30, 2026. Neither date ever went live because SB 26-189 superseded the framework.

4. The litigation: X.AI LLC v. Weiser, No. 1:26-cv-01515 (D. Colo.). xAI (maker of Grok) filed April 9, 2026, against Colorado AG Philip J. Weiser, pleading six constitutional theories led by the First Amendment (compelled speech/content and viewpoint discrimination) and the Fourteenth Amendment Equal Protection Clause, plus dormant Commerce Clause and Due Process vagueness. The DOJ moved to intervene April 24, 2026 (Acting AG Todd Blanche certified the case as one of general public importance under 42 U.S.C. § 2000h-2) — the first federal intervention against a state AI law; its complaint in intervention focused on Equal Protection theories of compelled and authorized discrimination. On April 27, 2026, Magistrate Judge Cyrus Y. Chung — on referral from the assigned district judge — granted a joint motion staying enforcement; the AG agreed not to enforce (including not to investigate) for alleged violations occurring on or before 14 days after a ruling on xAI's forthcoming preliminary-injunction motion. The case is assigned to Chief Judge Daniel D. Domenico. As of June 20, 2026, no PI motion has been filed (under the stay order, xAI's motion is due within 28 days after final adoption of the replacement rulemaking), and there is no merits ruling.

5. SB 26-189 (ADMT). "Concerning the Use of Automated Decision-Making Technology in Consequential Decisions." Introduced May 1, 2026; passed the Senate 34-1 (third reading May 7, 2026); passed the House 57-6 (third reading May 9, 2026); the Senate concurred in House amendments 34-1 on May 12, 2026; signed by Gov. Polis on May 14, 2026. Repeals and reenacts Part 17. Substantive duties begin January 1, 2027, and the act applies to consequential decisions made on or after its effective date.

6. The insurance deeming provision under SB 26-189 (§ 6-1-1708). New § 6-1-1708(1)(a): an insurer (as defined in § 10-1-102(13)) "and any affiliated entities are in compliance with this part 17 regarding the practice of insurance if the insurer and any affiliated entities are subject to the requirements of section 10-3-1104.9." Section 6-1-1708(1)(b) provides that an insurer not deemed compliant must give § 6-1-1704(3) notice/disclosure of covered-ADMT use in the practice of insurance; § 6-1-1708(2) preserves applicability of the new Part 17 to insurer employment uses. The deeming survived — but it now keys to the statute (§ 10-3-1104.9) rather than expressly to the commissioner's rules, and the legislature simultaneously amended § 10-3-1104.9 (in SB 26-189 § 3) to authorize the commissioner to adopt or update rules on insurer-to-consumer notice and disclosures.

Resolving the apparent tension: sources describing SB 26-189 as having "eliminated exemptions" are correct as to the federally-regulated-entity entity-based exemptions of old § 6-1-1705 (e.g., the bank/credit-union "prudential regulator" deeming, and the FDA/FHFA/HHS-ONC federal-standards exclusions) — those broad conditional exemptions were not carried forward in the same form. But the insurance deeming for the practice of insurance was retained in § 6-1-1708, and a creditor ECOA/Reg B/FCRA notice-substitution accommodation (§ 6-1-1704(6)), a HIPAA-covered-entity exclusion outside employment (§ 6-1-1708(3)), and a FERPA notice/human-review accommodation (§§ 6-1-1704(9), 6-1-1705(2)) were added. So for insurers, the safe harbor did not disappear — it was preserved and modestly recalibrated.

Details

A. SB 24-205 — what it was

SB 24-205 was the first comprehensive U.S. state AI statute. "Algorithmic discrimination" meant any condition in which the use of an AI system results in unlawful differential treatment or impact disfavoring individuals on a protected basis (with an express carve-out for uses to expand a pool "to increase diversity or redress historical discrimination" — the carve-out the DOJ later attacked on Equal Protection grounds). Deployers carried the heaviest burdens: a written risk-management policy and program (§ 6-1-1703(2)), annual impact assessments (§ 6-1-1703(3)), annual review for discrimination, consumer notice for consequential decisions, a right to correct data, a right to appeal to human review, a public website statement, and AG notice within 90 days of discovering discrimination. The AG had exclusive enforcement (§ 6-1-1706(1)); violations were a deceptive trade practice under the Colorado Consumer Protection Act. Penalties run under C.R.S. § 6-1-112(1)(a) — "a civil penalty of not more than twenty thousand dollars for each such violation," with each consumer or transaction a separate violation (the former $500,000 aggregate cap was removed by HB 19-1289, effective 2019). There is no private right of action. The affirmative defense (§ 6-1-1706(3)) required discovering and curing a violation (via solicited feedback, adversarial testing/red-teaming, or internal review) plus compliance with a recognized AI risk-management framework (NIST AI RMF / ISO/IEC 42001).

B. The road to repeal

Polis signed CAIA only after asking the legislature to revise it. Attempts to amend during the 2025 regular session failed (SB 25-318 was introduced and then postponed indefinitely). The August 2025 special session produced only SB 25B-004, which moved the date to June 30, 2026. Polis then convened an AI Policy Work Group, which conducted structured stakeholder consultation from October 2025 and published a proposed framework on March 17, 2026 (announced in the Governor's "unanimous support for revised policy framework" release). That framework became SB 26-189. Federal pressure mounted in parallel: President Trump's December 2025 Executive Order 14365 ("Ensuring a National Policy Framework for Artificial Intelligence," 90 Fed. Reg. 58,499 (Dec. 16, 2025)) criticized state AI laws as a "patchwork of 50 different regulatory regimes" and cited Colorado's algorithmic-discrimination law as an example, and the DOJ intervened in xAI.

C. SB 26-189 — the new framework

SB 26-189 abandons "high-risk AI system" for "covered ADMT" — automated decision-making technology used to "materially influence" a "consequential decision." "Materially influence" means an ADMT output is a non-de-minimis factor used in making a consequential decision and that affects the outcome (constraining, ranking, scoring, recommending, classifying, or otherwise meaningfully altering how the decision is made); it excludes incidental, trivial, or clerical uses. The act eliminates the duty of care, risk-management programs, impact assessments, annual reviews, AG discrimination notices, the standalone "you-are-interacting-with-AI" disclosure, and the NIST/ISO affirmative defense. What remains:

• Developers (§ 6-1-1702): provide deployers technical documentation (intended uses, known harmful/inappropriate uses, categories of training data, known limitations, instructions for appropriate use and meaningful human review); notify of material updates; retain records ≥ 3 years.
• Deployers (§§ 6-1-1703–1705): retain records ≥ 3 years; provide clear-and-conspicuous pre-use notice at the point of interaction; provide a plain-language post-adverse-outcome explanation within 30 days; honor consumer rights to access/correct factually incorrect personal data and to request meaningful human review and reconsideration where commercially reasonable.
• Liability/indemnification (§ 6-1-1707): developers and deployers may be liable under existing anti-discrimination law (expressly including the Colorado Anti-Discrimination Act, C.R.S. Title 24, Art. 34, Parts 3–8) for a consequential decision materially influenced by covered ADMT; fault is allocated by relative responsibility (expressly not joint and several); contractual indemnification for one's own discriminatory acts is void as against public policy; developers are shielded from liability for off-label deployer uses.
• Enforcement (§ 6-1-1706): AG exclusive; deceptive trade practice under the Colorado Consumer Protection Act; 60-day notice-and-cure (waivable for knowing/repeated violations; the cure window applies to actions initiated before January 1, 2030); no new private right of action, and the act does not limit existing rights/remedies. SB 26-189 § 2 adds a Part 17 violation to the list of deceptive trade practices in C.R.S. § 6-1-105(1).
• Covered domains expressly include "insurance, including underwriting, pricing, coverage, claims adjudication, or other determinations that materially affect access to benefits." "Consumer" expressly includes employees and Colorado-resident job applicants — pulling workforce decisions into scope in a way the Colorado Privacy Act largely excludes.

A practical note for claims and underwriting audiences: because covered domains list claims adjudication, pricing, coverage, and underwriting, an AI model used in those functions is squarely within the new statute's "consequential decision" definition — but for a Colorado-licensed insurer those uses fall under the § 6-1-1708 insurance deeming so long as the carrier is subject to § 10-3-1104.9.

D. The SB 21-169 insurance backdrop

SB 21-169, "Protecting Consumers from Unfair Discrimination in Insurance Practices," was signed July 6, 2021 (effective Sept. 7, 2021) and codified at C.R.S. § 10-3-1104.9. It prohibits insurers from using External Consumer Data and Information Sources (ECDIS) — and algorithms/predictive models that use ECDIS — in any insurance practice (marketing, underwriting, pricing, utilization management, reimbursement methodologies, and claims management) in a way that unfairly discriminates based on race, color, national or ethnic origin, religion, sex, sexual orientation, disability, gender identity, or gender expression. The statute is an enabling law; the operative detail lives in DOI rules adopted sector-by-sector:

• Regulation 10-1-1 (3 CCR 702-10), Governance and Risk Management Framework. Originally effective November 14, 2023 for individual life insurers. Life insurers filed a compliance progress report by June 1, 2024 and an annual attestation beginning December 1, 2024 and annually thereafter. Insurers that do not use ECDIS file an annual non-use attestation — signed by an officer and submitted via SERFF — no later than December 1.
• Amended Regulation 10-1-1, effective October 15, 2025, extends the governance/risk-management framework to private passenger automobile insurers and health benefit plan insurers. Auto and health insurers must have all governance/framework components available to the Division upon request by July 1, 2026, with an interim progress report due December 1, 2025 and a compliance report due July 1, 2026 (annually thereafter).
• Quantitative testing regulation (3 CCR 702-10 series). A draft Algorithm and Predictive Model Quantitative Testing Regulation for life insurance was released for informal comment on September 28, 2023; the prescribed quantitative-testing methodology (e.g., whether the DOI will mandate a Bayesian Improved First Name Surname Geocoding approach to estimate race/ethnicity) remains under consideration/pending as of mid-2026, and the auto/health quantitative-testing implementing rules remain in active development.

The two regimes are distinct: SB 21-169/Reg 10-1-1 is insurance-specific and enforced by the Division of Insurance; SB 24-205/SB 26-189 is cross-sector and enforced by the Attorney General. A vendor's compliance is not the insurer's compliance — the Colorado-licensed carrier owns the governance, testing, and attestation obligations even for third-party models.

E. NAIC and multistate context

The NAIC adopted its Model Bulletin on the Use of Artificial Intelligence Systems by Insurers on December 4, 2023. It is principles-based guidance (not a model law or regulation) reminding insurers that AI-supported decisions must comply with existing unfair trade practice and unfair claims settlement laws, and setting expectations for a written "AIS Program" with governance, risk management, third-party vendor diligence, and consumer notice. As of the NAIC's spring 2026 reporting, 24 states and the District of Columbia have adopted the Model Bulletin, and four additional states have adopted insurance-specific AI regulation or guidance. Separately, the NAIC's AI Systems Evaluation Tool — a regulator examination/market-conduct aid — is in a pilot running March–September 2026 with 12 participating states (CA, CO, CT, FL, IA, LA, MD, PA, RI, VT, VA, WI), with anticipated adoption at the 2026 Fall National Meeting. Colorado's SB 21-169/Reg 10-1-1 regime is more prescriptive than the bulletin (quantitative testing and annual attestation), so a carrier building to Colorado's bar generally exceeds the bulletin's floor — Colorado Insurance Commissioner Michael Conway co-vice-chaired the NAIC committee that produced the bulletin and has publicly pushed for the NAIC to move toward model laws/regulations.

F. Federal backdrop

On June 2, 2026, the White House issued Executive Order 14409, "Promoting Advanced Artificial Intelligence Innovation and Security," focused on hardening federal cyber defenses, a voluntary frontier-model pre-deployment access framework (up to 30 days), and enforcement against AI-enabled cybercrime; it expressly disclaims any "mandatory governmental licensing, preclearance, or permitting requirement." That order is distinct from the December 2025 EO 14365 that targeted state AI laws. The DOJ's intervention in xAI v. Weiser is the administration's first litigation move against a state AI law and signals a possible broader preemption-by-litigation strategy.

Recommendations

1. Treat SB 21-169/Reg 10-1-1 as the operative insurance AI regime today. The deeming provision in both SB 24-205 and SB 26-189 is only as strong as actual § 10-3-1104.9 compliance — a carrier without a documented governance framework and (where applicable) testing program cannot rely on it. Life insurers: confirm the governance framework and the December 1 annual attestation are current. Auto and health carriers: meet the July 1, 2026 framework-availability deadline (the interim progress report was due December 1, 2025) — this is an enforceable obligation now, independent of anything in SB 26-189.
2. Do not stand up a parallel ADMT compliance program for the practice of insurance — the § 6-1-1708 deeming makes that redundant for carriers in § 10-3-1104.9 compliance. Do build SB 26-189 processes (pre-use notice, 30-day adverse-outcome explanation, access/correction and human-review rights, developer documentation) for insurer employment/HR uses, which the deeming does not cover and which the new act reaches — including job applicants and employees — beginning January 1, 2027.
3. Review AI vendor contracts now against SB 26-189 § 6-1-1707: any clause indemnifying a party for its own discriminatory ADMT acts is void, so reallocate risk through warranties, testing/audit rights, and documentation cooperation rather than indemnities.
4. Monitor two rulemakings: (a) the Colorado AG's SB 26-189 rules defining "materially influence" and clarifying post-adverse-outcome disclosures, due on or before January 1, 2027; and (b) the DOI's pending quantitative-testing methodology and the auto/health implementing rules under § 10-3-1104.9.
5. Track xAI v. Weiser. A merits ruling — particularly on the First Amendment and Equal Protection theories — could reset the constitutional ceiling for every state AI law. Watch for the preliminary-injunction motion, which under the stay order is due within 28 days after final adoption of the AG's replacement rulemaking.

Benchmarks that would change this analysis: the DOI finalizing a prescribed quantitative-testing methodology (raises the § 10-3-1104.9 compliance bar that anchors the deeming); a substantive ruling in xAI v. Weiser (the litigation targets the AG-enforced AI statute, not the DOI insurance regime, so a plaintiff win would leave SB 21-169/Reg 10-1-1 intact while reshaping the cross-sector regime); or federal preemption legislation.

Caveats

• SB 26-189's section numbering and catchlines are drawn from the enacted bill text (the introduced/enrolled version available on the General Assembly site); final codified C.R.S. catchlines and internal cross-references could shift slightly on official publication. The insurer deeming is at § 6-1-1708; AG enforcement at § 6-1-1706; liability/indemnification at § 6-1-1707.
• SB 26-189's structure separates its effective date (the act applies to consequential decisions made on or after the effective date) from the January 1, 2027 start date written into the operative developer/deployer duties and the AG's rulemaking deadline; commentary describing a flat "January 1, 2027 effective date" is shorthand for when the substantive obligations bite.
• The "materially influence" standard and post-adverse-outcome disclosure mechanics await AG rulemaking, and the DOI's quantitative-testing methodology and auto/health implementing rules remain in flux — confirm deadlines against the Division's SB 21-169 page before relying on them.
• xAI v. Weiser is a federal district-court constitutional matter, not a Colorado insurance-law case; nothing in it interprets SB 21-169, Reg 10-1-1, or the insurance deeming, and no merits decision has issued as of June 20, 2026.

Sources

• SB 24-205 bill page and enrolled text, Colorado General Assembly
• C.R.S. § 6-1-1705 (insurance deeming, SB 24-205), FindLaw
• C.R.S. § 6-1-1706 (enforcement/affirmative defense, SB 24-205), Justia
• SB 25B-004 (effective-date extension) bill page, Colorado General Assembly
• SB 26-189 bill page and introduced text, Colorado General Assembly
• Governor's signing release (SB 26-189, May 14, 2026), Colorado Governor's Office
• SB 26-189 vote history, LegiScan
• X.AI LLC v. Weiser, No. 1:26-cv-01515 (D. Colo.) docket, CourtListener
• DOJ complaint in intervention and press release, U.S. Department of Justice
• C.R.S. § 10-3-1104.9 (SB 21-169), Justia
• Colorado DOI SB 21-169 page, Colorado Division of Insurance
• Regulation 10-1-1 / 3 CCR 702-10 (amended, eff. Oct. 15, 2025), Colorado Secretary of State
• Draft quantitative testing regulation (3 CCR 702-10), Colorado Division of Insurance
• NAIC Model Bulletin on Use of AI Systems by Insurers (adopted Dec. 4, 2023), National Association of Insurance Commissioners
• White House Executive Order 14409 (June 2, 2026), "Promoting Advanced Artificial Intelligence Innovation and Security", The White House