All notes
America's toughest AI law just got rewritten before it started

June 7, 2026

America's toughest AI law just got rewritten before it started

Colorado's AI Act was supposed to be the big one — the first comprehensive US AI law, landing in 2026, with real duties to prevent algorithmic discrimination. Then a judge froze it, the legislature gutted it, and the whole thing got pushed to 2027 with its teeth pulled. If you scrambled to comply with the version that's now dead, you just learned the real lesson about building for AI regulation: don't build for the deadline. Build for the handful of obligations that survive every rewrite, because those are the ones that were just good engineering anyway.

For two years, Colorado's AI Act (SB 24-205) was the law everyone pointed to — the first comprehensive AI regulation in the US, the one that was going to force real accountability on "high-risk" systems making consequential decisions about jobs, housing, healthcare, and credit. Companies built compliance programs around it. Consultants sold readiness checklists. The clock was ticking toward a 2026 implementation date.

Then, in the span of a few weeks, it basically evaporated. A federal magistrate judge stayed enforcement on April 27, and on May 14 the governor signed a replacement, SB 26-189, that pushes the effective date to January 2027 and strips out the law's hardest parts — the duty of care against algorithmic discrimination, the mandatory risk-management programs, the annual impact assessments. The toughest AI law in America got rewritten before it ever took effect.

If you're building anything with AI in it, there's a genuinely useful lesson in this whiplash, and it's not "ignore regulation."

The deadline was a moving target. They usually are.

The teams that suffered most here are the ones that treated a specific law's specific requirements as the goal — that built a compliance binder for this statute, on this date, with these assessment templates. They optimized for a target that moved, and now a chunk of that work is aimed at a law that no longer exists.

This is the normal condition of AI regulation right now, not an exception. The rules are being written, challenged, frozen, and rewritten in real time, often faster than you can ship a compliance project. Colorado is just the most dramatic example: a landmark law gutted by its own legislature weeks before launch. If your strategy is "comply precisely with whatever's about to take effect," you will spend the next several years rebuilding for each new draft. The deadline is the wrong thing to build for, because the deadline keeps changing.

Build for what survives every rewrite

Here's the more useful move. Look at what didn't get cut. Even in the stripped-down replacement law, a few obligations survived: telling people when AI is used in a decision about them, giving them a notice and a way to appeal an adverse decision, and letting them correct wrong data the system used. Not discriminating. Keeping documentation of how the thing works.

Notice what those have in common: they're not bureaucratic box-ticking. They're just good engineering and basic decency, the kind you'd want even if no law required them. An AI making a consequential decision should be able to explain it, a person affected should be able to contest it, and the data behind it should be correctable. That's the same thing I keep arguing for on its own merits — agents in high-stakes domains need grounding, an audit trail, and a human who can be overruled — and it's the same reason "the AI did it" can't be allowed to be the end of a conversation.

That's why these are the parts that survive. Regulators keep landing on them across every jurisdiction and every rewrite because they're the irreducible core: transparency, contestability, accountability, non-discrimination. The fights are over the paperwork around that core, not the core itself.

What a builder should actually do

You don't need a legal team to act on this. The durable playbook is small:

  • Build the principles in, not the paperwork. Make every consequential AI decision explainable, appealable, and logged — by design, from the start. That satisfies the spirit of essentially every AI law, current or coming, and doesn't have to be redone when the statute changes.
  • Don't over-fit to one jurisdiction's templates. Specific assessment forms and filing formats are exactly the part most likely to change. Keep your compliance work modular so a new framework is a remapping, not a rebuild.
  • Let people see and correct their data, and tell them AI was involved. These showed up in the original law and survived the rewrite. They'll be in the next one too. Just do them.
  • Watch the direction, not the date. The useful signal isn't "this takes effect June 30." It's "every serious AI proposal, here and in the EU, points at the same handful of duties." Build toward the direction and the dates stop mattering.

The bottom line

Colorado just demonstrated, at maximum volume, that you can't build your AI strategy around a specific law on a specific date — because the most famous AI law in the country got rewritten weeks before it landed. The deadline-chasers are now holding a binder for a dead statute.

The builders who'll be fine are the ones who never built for the deadline. They built systems where an AI decision can be explained, appealed, and corrected, where nothing important happens without an accountable human and a record of why — because that was the right way to build regardless of what any legislature did this month. Regulation will keep lurching. The principles underneath it barely move. Build for those, and you're compliant with the law that passes, the law that gets rewritten, and the law that hasn't been drafted yet.

Comments

No comments yet

Sign in to join the conversation.

Be the first to share a thought.