America’s AI regulatory landscape just had a month that made legal counsel everywhere reach for stronger coffee. Colorado’s landmark AI Act, once celebrated as the country’s first comprehensive state AI law, was gutted and replaced before it ever took effect.
Then, eleven days later, a bipartisan House duo dropped a 269-page federal bill aiming to freeze every state AI development law in the country for three years. If you are responsible for AI governance at an enterprise, these two events belong at the top of your agenda right now.
Colorado blinks first
Colorado’s original AI Act (SB 24-205) was ambitious.
It imposed a risk-based framework on deployers and developers of high-risk AI systems, requiring annual impact assessments, risk management programs, and discrimination-prevention duties covering employment, housing, healthcare, financial services, and education.
What survived is narrower: consumer notice obligations before AI is used in consequential decisions, the right to an explanation for adverse outcomes, a meaningful human review path, and developer documentation requirements.
The new law, SB 26-189, governs automated decision-making technology (ADMT) that “materially influences” consequential decisions. Enforcement now sits under a new effective date of January 1, 2027, with the Colorado Attorney General running rule-making.
For compliance teams, the practical shift matters. The priority has shifted away from building an enterprise AI risk program from scratch under a compressed timeline.
The more immediate focus is on mapping where AI touches consequential decisions, building consumer notice into those workflows, maintaining appeal paths, and keeping vendor agreements aligned with the new documentation requirements.
What your legal team should actually track
The replacement law retains enough to require real operational work. Here is what the new framework requires of deployers and developers:
Pre-use consumer notice: A clear, conspicuous disclosure that ADMT is being used in a consequential decision. Prominent public notices at consumer interaction points satisfy this requirement.
Adverse outcome explanations: When AI influences a decision that denies, terminates, revokes, or materially reduces access to a service or opportunity, affected consumers have the right to an explanation.
Worse pricing terms also trigger this duty; the law covers the full spectrum of adverse outcomes, from outright rejections to materially less favorable terms.
Meaningful human review: Consumers must have a path to contest AI-influenced decisions through a genuine human review process, entirely separate from the automated system that produced the original outcome.
Developer documentation: Organizations building or substantially modifying ADMT systems face documentation requirements that align with existing frameworks like the NIST AI Risk Management Framework and ISO/IEC 42001.
Congress enters the field
On June 4, 2026, Representatives Jay Obernolte (R-CA) and Lori Trahan (D-MA) released a discussion draft of the Great American Artificial Intelligence Act of 2026 (GAAIA).
The 269-page bill targets frontier AI models, defined by compute thresholds, and proposes a framework spanning safety, transparency, whistleblower protections, workforce development, and cybersecurity.
The headline provision for enterprise teams is a three-year preemption clause.
If passed, the bill would freeze all state laws specifically regulating AI model development for three years, with Congress holding the field on how frontier models are built. Supporters frame this as necessary to avoid a fragmented patchwork that stifles innovation.
Critics argue it strips states of the exact tools that matter most for safety at the point where safety can actually be addressed: development.
The preemption has a critical limitation worth understanding. It covers development only.
State laws governing how employers use AI in the workplace, including California’s ADMT regulations, New York City’s automated employment decision tool audit requirements, and the Illinois Artificial Intelligence Video Interview Act, remain fully intact under the current draft.
This is a federal floor on model builders, a jurisdiction that stops before deployment.
The bill also formally establishes the Center for AI Safety and Innovation (CAISI) in statute, previously known as the AI Safety Institute under the Biden administration, with a director appointed by the Secretary of Commerce.
The governance gap that still exists
Here is the challenge that both laws leave open:
A company deploying a large language model in HR decisions across multiple US states now faces a genuinely complex compliance surface. Colorado’s new law applies to deployers.
So does New York City’s AEDT law.
California’s Privacy Protection Agency is finalizing ADMT rules. The federal bill, even if passed, covers model development, a stage most enterprise deployers are downstream of entirely.
The organizations that will navigate this well are those that treat AI governance as an operational layer rather than a compliance sprint.
That means:
- Systematic AI system inventory: Map every model and automated workflow touching consequential decisions. This is table stakes for SB 26-189, California’s ADMT rules, and any future federal framework. Systems embedded in vendor tools, especially in HR, underwriting, and fraud detection, are frequently missed in first-pass inventories.
- Documentation built for portability: The NIST AI RMF and ISO/IEC 42001 address the core requirements across multiple jurisdictions simultaneously. Organizations with existing ISO/IEC 42001 implementations are already positioned to satisfy SB 26-189’s documentation requirements and can claim SB 26-189’s safe harbor protections more readily.
- Vendor contract alignment: SB 26-189 places documentation duties on developers. If your organization procures ADMT from a third party, the question of who owns documentation obligations and whether contracts reflect that is now a legal exposure point.
The GAAIA is a discussion draft. Congress breaks for recess in August 2026, and the bill has real opposition from state-rights advocates and safety researchers who want states to retain development-level authority. Treat it as a strong signal of federal intent.
Track the rule-making calendar alongside it.
What the next six months look like
The Colorado Attorney General’s rulemaking timeline under SB 26-189 will determine when real compliance obligations begin for deployers under the replacement law. That timeline is the critical variable to monitor in Q3 2026.
The GAAIA, meanwhile, enters a comment and revision phase before any formal introduction, and the preemption language is widely expected to attract significant stakeholder pushback.
For enterprises already building AI governance programs, the practical message from both developments is the same: the specific requirements are moving, but the direction is stable.
Build toward those four pillars and the regulatory surface becomes substantially more manageable, regardless of which specific law lands first.
The organizations treating AI governance as a one-time compliance exercise rather than an operational capability are those that will face a fire drill every time the legislative calendar moves. At the rate 2026 is moving, that fire drill schedule is looking crowded.
