America's AI regulatory landscape just had a month that made legal counsel everywhere reach for stronger coffee. Colorado's landmark AI Act, once celebrated as the country's first comprehensive state AI law, was gutted and replaced before it ever took effect. 

Then, eleven days later, a bipartisan House duo dropped a 269-page federal bill aiming to freeze every state AI development law in the country for three years. If you are responsible for AI governance at an enterprise, these two events belong at the top of your agenda right now.

Colorado's original AI Act (SB 24-205) was ambitious. 

It imposed a risk-based framework on deployers and developers of high-risk AI systems, requiring annual impact assessments, risk management programs, and discrimination-prevention duties covering employment, housing, healthcare, financial services, and education. 

💡
After two deadline delays, Governor Jared Polis signed SB 26-189 on May 14, 2026, replacing the original law entirely. The mandatory risk management programs are gone. So are the annual impact assessments and the algorithmic discrimination duty of care.

What survived is narrower: consumer notice obligations before AI is used in consequential decisions, the right to an explanation for adverse outcomes, a meaningful human review path, and developer documentation requirements. 

The new law, SB 26-189, governs automated decision-making technology (ADMT) that "materially influences" consequential decisions. Enforcement now sits under a new effective date of January 1, 2027, with the Colorado Attorney General running rule-making.

For compliance teams, the practical shift matters. The priority has shifted away from building an enterprise AI risk program from scratch under a compressed timeline. 

The more immediate focus is on mapping where AI touches consequential decisions, building consumer notice into those workflows, maintaining appeal paths, and keeping vendor agreements aligned with the new documentation requirements.

6 things every AI leader needs to get right in H2 2026
The pilot phase is over. Here are the 6 trends shaping AI strategy in H2 2026, from agentic infrastructure to physical AI and custom builds.
AI Accelerator InstituteAndrew Lovell

The replacement law retains enough to require real operational work. Here is what the new framework requires of deployers and developers:

Pre-use consumer notice: A clear, conspicuous disclosure that ADMT is being used in a consequential decision. Prominent public notices at consumer interaction points satisfy this requirement.

Adverse outcome explanations: When AI influences a decision that denies, terminates, revokes, or materially reduces access to a service or opportunity, affected consumers have the right to an explanation.

Worse pricing terms also trigger this duty; the law covers the full spectrum of adverse outcomes, from outright rejections to materially less favorable terms.

Meaningful human review: Consumers must have a path to contest AI-influenced decisions through a genuine human review process, entirely separate from the automated system that produced the original outcome.

Developer documentation: Organizations building or substantially modifying ADMT systems face documentation requirements that align with existing frameworks like the NIST AI Risk Management Framework and ISO/IEC 42001.

💡
One important note on scope: "consumer" is defined broadly. It covers Colorado-resident employees, job applicants, and even non-residents whose access to a Colorado opportunity is being decided. HR deployments are firmly in scope.

Congress enters the field

On June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a discussion draft of the Great American Artificial Intelligence Act of 2026 (GAAIA).

The 269-page bill targets frontier AI models, defined by compute thresholds, and proposes a framework spanning safety, transparency, whistleblower protections, workforce development, and cybersecurity.

The headline provision for enterprise teams is a three-year preemption clause.

If passed, the bill would freeze all state laws specifically regulating AI model development for three years, with Congress holding the field on how frontier models are built. Supporters frame this as necessary to avoid a fragmented patchwork that stifles innovation. 

Critics argue it strips states of the exact tools that matter most for safety at the point where safety can actually be addressed: development.

The preemption has a critical limitation worth understanding. It covers development only.

State laws governing how employers use AI in the workplace, including California's ADMT regulations, New York City's automated employment decision tool audit requirements, and the Illinois Artificial Intelligence Video Interview Act, remain fully intact under the current draft. 

This is a federal floor on model builders, a jurisdiction that stops before deployment.

The bill also formally establishes the Center for AI Safety and Innovation (CAISI) in statute, previously known as the AI Safety Institute under the Biden administration, with a director appointed by the Secretary of Commerce. 

💡
CAISI would be tasked with developing guidelines and voluntary standards, evaluating US and foreign AI systems, and identifying security vulnerabilities in models from foreign competitors. A $100 million federal AI standards center is included in the proposal.

The governance gap that still exists

Here is the challenge that both laws leave open: 

A company deploying a large language model in HR decisions across multiple US states now faces a genuinely complex compliance surface. Colorado's new law applies to deployers. 

So does New York City's AEDT law. 

California's Privacy Protection Agency is finalizing ADMT rules. The federal bill, even if passed, covers model development, a stage most enterprise deployers are downstream of entirely.

The organizations that will navigate this well are those that treat AI governance as an operational layer rather than a compliance sprint. 

That means:

  • Systematic AI system inventory: Map every model and automated workflow touching consequential decisions. This is table stakes for SB 26-189, California's ADMT rules, and any future federal framework. Systems embedded in vendor tools, especially in HR, underwriting, and fraud detection, are frequently missed in first-pass inventories.
  • Documentation built for portability: The NIST AI RMF and ISO/IEC 42001 address the core requirements across multiple jurisdictions simultaneously. Organizations with existing ISO/IEC 42001 implementations are already positioned to satisfy SB 26-189's documentation requirements and can claim SB 26-189's safe harbor protections more readily.
  • Vendor contract alignment: SB 26-189 places documentation duties on developers. If your organization procures ADMT from a third party, the question of who owns documentation obligations and whether contracts reflect that is now a legal exposure point.

The GAAIA is a discussion draft. Congress breaks for recess in August 2026, and the bill has real opposition from state-rights advocates and safety researchers who want states to retain development-level authority. Treat it as a strong signal of federal intent. 

Track the rule-making calendar alongside it.

Is your AI agent also your biggest data leak?
A Microsoft and Huazhong University benchmark tested GPT-4o, GPT-5, Grok-3, and others on realistic enterprise data scenarios. Privacy violation rates hit 50.9%. More capable models made it worse, and the fix has nothing to do with model selection…
AI Accelerator InstituteAndrew Lovell

What the next six months look like

The Colorado Attorney General's rulemaking timeline under SB 26-189 will determine when real compliance obligations begin for deployers under the replacement law. That timeline is the critical variable to monitor in Q3 2026. 

The GAAIA, meanwhile, enters a comment and revision phase before any formal introduction, and the preemption language is widely expected to attract significant stakeholder pushback.

For enterprises already building AI governance programs, the practical message from both developments is the same: the specific requirements are moving, but the direction is stable. 

💡
Consumer notice, human oversight, documentation, and adverse-outcome explanation rights are consistent across every framework on the table, whether state or federal, current or proposed.

Build toward those four pillars and the regulatory surface becomes substantially more manageable, regardless of which specific law lands first.

The organizations treating AI governance as a one-time compliance exercise rather than an operational capability are those that will face a fire drill every time the legislative calendar moves. At the rate 2026 is moving, that fire drill schedule is looking crowded.