days until compliance begins
Colorado’s new ADMT law
SB 26-189
Colorado repealed and replaced its 2024 AI Act with SB 26-189, an automated decision-making technology (ADMT) transparency regime. Substantive compliance begins January 1, 2027. The new duties are about clear notices, disclosures, and human review — and GLACIS produces the signed runtime evidence behind every one.
What the law says
Who it covers
Developers and deployers of covered automated decision-making technology (ADMT) used to materially influence a consequential decision — access to or eligibility for education, employment, housing, financial or lending services, insurance, health-care services, and essential government services or public benefits.
Key requirements
- • Clear-and-conspicuous pre-use notice before a covered ADMT materially influences a consequential decision
- • Plain-language disclosure within 30 days of an adverse outcome
- • On request, access to and correction of inaccurate personal data
- • On request, meaningful human review where commercially reasonable
- • Developer documentation for deployers; records retained at least 3 years
Where this bites first: hiring. Candidate screening and ranking are consequential decisions under SB 26-189; see how signed runtime evidence works for hiring AI. Health-care services are covered too; teams that buy or review clinical AI should start with healthcare AI vendor review.
When it takes effect
SB 26-189 was signed May 14, 2026; substantive duties commence January 1, 2027, and the AG must adopt clarifying rules by the same date. The Attorney General must give 60 days’ notice and an opportunity to cure where a cure is possible — a right that sunsets January 1, 2030. Continuous evidence means you can show what your ADMT actually did when a question arises.
How it’s enforced
Violations are deceptive trade practices, enforced exclusively by the Colorado Attorney General with no private right of action. Civil penalties run up to $20,000 per violation (up to $50,000 where the affected consumer is an elderly person), each consumer or transaction a separate violation.
From a duty of care to a duty to disclose
SB 26-189 drops the old reasonable-care duty, mandatory impact assessments, and the NIST AI RMF / ISO 42001 safe harbor. What remains is a transparency regime: notices, disclosures, data correction, and meaningful human review. Those obligations turn on being able to show what your ADMT actually did.
A disclosure you can’t substantiate is a risk
When you tell a consumer how an ADMT shaped a decision — or offer human review of it — you need a faithful record of what ran. A policy PDF describes intent; it doesn’t evidence the decision itself. (Frameworks like NIST AI RMF and ISO 42001 remain useful practice, though Colorado no longer treats them as a legal defense.)
GLACIS is the record behind the disclosure
GLACIS generates continuous cryptographic evidence of what your ADMT actually did — third-party witnessed, tamper-evident, retained for your recordkeeping. That’s the substantiation behind your pre-use notices, adverse-outcome disclosures, and human-review records.
How GLACIS gets you there
1. Assess your gaps
The 30-day Sprint maps where your ADMT decisions are observable today against the notice, disclosure, and human-review duties ahead, starting with one named workflow.
2. Continuous evidence
Deploy the GLACIS SDK. Every ADMT decision generates a cryptographic receipt, countersigned by an independent witness. Zero data egress.
3. Substantiate every disclosure
Your evidence trail backs each ADMT notice, adverse-outcome disclosure, and human-review record — continuously, not just when a question lands. Ready to share with consumers, counsel, and the regulator.
Every notice and human-review duty in SB 26-189 turns on showing what the ADMT actually did; signed runtime receipts are that record.