A 72-Hour Update on SB 26-189: Polis’s Signature Finalized, But Compliance Clock Hasn’t Started – Health Care Exemption and “Meaningful Human Review” Standard Clarified
Published: May 22, 2026
By: Zeeshan Khan
Reading time: 13 minutes
Category: Technology / Consumer Rights / Law
Note: May 22, 2026 – This is an update to the previous article: Colorado Governor Signs Weaker AI Law – Replacing Landmark Anti-Discrimination Act
DENVER – May 22, 2026 – Eight days after Governor Jared Polis signed Senate Bill 26-189 into law, the practical impact of the nation’s most closely watched AI anti-discrimination legislation remains uncertain. While the signature itself is final, Colorado Attorney General Phil Weiser has now made clear that enforcement of both the old and new laws is on hold – and will not begin until after the rulemaking process concludes.
This enforcement pause, confirmed in legal analyses published in the last 72 hours, creates a practical safe harbor for businesses. However, detailed regulatory guidance from major law firms has also clarified key provisions of the new law – including a broad health care exemption, a defined standard for “meaningful human review,” and a liability framework that prevents employers from shifting blame to AI vendors.
The new law, which takes effect January 1, 2027, replaces mandatory pre-deployment risk assessments with a narrower disclosure-and-human-review framework. But with rulemaking not yet begun and a federal lawsuit from Elon Musk’s xAI still pending, the compliance timeline remains fluid.
The Essentials: Who, What, When, Where, Why, How (Last 72 Hours)
Who: Colorado Attorney General Phil Weiser, who has committed to not enforcing the law until after rulemaking; Colorado Governor Jared Polis, who signed the bill on May 14; AI developers and deployers doing business in Colorado; HIPAA-covered entities and business associates, who are now explicitly exempted; and consumers, employees, and job applicants affected by algorithmic decisions.
What: Three major developments:
- Enforcement is on hold – Attorney General Weiser has stated he will not enforce SB 24-205 or SB 26-189 until after the rulemaking process concludes
- Health care entities are exempt – HIPAA covered entities and business associates are exempted from most obligations
- Liability framework clarified – A comparative fault system allocates responsibility between developers and deployers, and indemnification for one’s own discriminatory acts is prohibited
When: The enforcement guidance emerged in the last 72 hours (May 19-22, 2026), following legal analyses from Kelley Drye & Warren LLP, Reed Smith LLP, and the National Law Review. The underlying law was signed on May 14, 2026, and takes effect January 1, 2027.
Where: The enforcement pause applies to Colorado. The law applies to any entity “doing business in Colorado” that develops or deploys covered automated decision-making technology (ADMT), affecting companies nationwide that serve Colorado residents.
Why (Immediate Cause): The original 2024 law faced a federal lawsuit from xAI (filed April 9, 2026) and DOJ intervention (April 23, 2026). A federal magistrate granted a joint motion to stay enforcement on April 27, 2026. Attorney General Weiser’s commitment not to enforce the new law until after rulemaking provides clarity for businesses during the transition period.
How (Mechanism): The enforcement pause is a discretionary decision by the Attorney General, not a statutory change. Rulemaking must be completed by January 1, 2027, but the AG has not yet formally initiated that process. The xAI lawsuit remains pending; the court’s stay remains active until 14 days after a ruling on xAI’s preliminary injunction motion.
Specific Changes in the Last 72 Hours
1. Enforcement Is On Hold – No Compliance Clock Running
The most critical development is that enforcement of both the old and new AI laws is effectively frozen.
What Attorney General Weiser has stated: Colorado Attorney General Phil Weiser has stated he does not intend to enforce SB 24-205 or any legislation replacing or amending it—including SB 26-189—until after the rulemaking process has concluded.
What this means in practice:
| Implication | Detail |
|---|---|
| Compliance clock hasn’t started | Even though SB 189 takes effect January 1, 2027, the AG will not enforce until after rules are finalized |
| Rulemaking hasn’t begun | The AG must adopt rules by January 1, 2027, but that process has not yet been formally initiated |
| xAI lawsuit remains active | The court’s stay remains in effect until 14 days after a ruling on xAI’s preliminary injunction motion; that ruling is still pending |
| Practical safe harbor | For businesses, this creates a window of opportunity, not a reason for delay. Employers should prepare for the January 1, 2027, effective date, but no enforcement action can occur until rulemaking is complete |
Connection to previous article: The May 19 article noted that the federal court enforcement stay on the 2024 law was active. This new guidance confirms that enforcement of the new law is also on hold pending rulemaking.
2. Health Care Exemption Clarified
The new law includes a significant exemption for health care entities that was not present in the original 2024 law.
Who is exempted: HIPAA covered entities and business associates are exempted from many developer and deployer obligations unless they are using ADMT to make employment-related consequential decisions.
What this means:
| Entity Type | Exemption Level | Remaining Obligations |
|---|---|---|
| HIPAA covered entities | Exempt from most developer/deployer obligations | Must provide general notice about advanced technology use; specific disclosures when ADMT determines patient eligibility for financial assistance |
| Business associates | Exempt from most developer/deployer obligations | Same as above |
| Medical device manufacturers | Exempt for FDA-regulated activities | Clinical investigations and certain R&D exempt |
Also exempted: Medical devices and certain pharmaceutical or medical-device research and development activities subject to FDA oversight, including clinical investigations.
Why this matters: Hospitals, insurers, and other HIPAA-covered entities have fewer compliance burdens under the new law than other industries. However, they must still provide notice when ADMT is used for consequential decisions, particularly for financial assistance determinations.
3. Liability Framework Clarified: Developer-Deployer Fault Allocation
The new law introduces a comparative fault framework allocating liability between AI developers and the employers who deploy their tools.
Key liability provisions:
| Provision | Detail |
|---|---|
| Developer liability shield | A developer is generally not liable for a deployer’s misuse of ADMT, provided the developer complied with documentation obligations |
| Indemnification prohibition | Contracts cannot require one party to indemnify another for the indemnified party’s own discriminatory acts |
| Employer responsibility | Employers cannot escape liability for off-label use of AI tools |
| Void provisions | Any contractual provision that would shield a developer or deployer from liability for its own discriminatory acts is void |
Why this matters: This directly addresses the liability uncertainty created by the Mobley v. Workday case, in which a job applicant sued an employer for discriminatory outcomes produced by a third-party AI resume screening tool. Under the new law, employers cannot simply shift liability to their AI vendor through indemnification clauses. Each deployer remains responsible for its own compliance.
4. “Meaningful Human Review” Defined – A High Bar
The new law provides a specific definition of “meaningful human review” that sets a high standard for employers.
Requirements for meaningful human review:
- A trained individual with authority to approve, modify, or override the decision
- The reviewer must consider relevant evidence
- The reviewer cannot simply default to the system’s output
- The reviewer must have access to information about the system’s intended use and limitations
Practical implication: A recruiter who ratifies an AI-generated ranking without genuine deliberation does not meet this standard. Employers must design and document a genuine human review process.
5. Federal Court Stay Remains Active
The federal court enforcement stay on the 2024 law remains active until 14 days after the court rules on xAI’s preliminary injunction motion. That ruling is still pending.
Status update: Because the 2024 law is now repealed effective January 1, 2027, the practical impact of the stay is limited to the period between June 30, 2026 (when the 2024 law would have taken effect) and January 1, 2027 (when SB 189 takes effect). However, the stay also signals that the court is actively considering the xAI challenge, which could affect the new law as well.
Comparison: Before and After (May 19 vs. May 22, 2026)
| Issue | As of May 19 Article | As of May 22, 2026 (Current) |
|---|---|---|
| Governor’s signature | Completed May 14, 2026 | Completed (unchanged) |
| Effective date | January 1, 2027 | January 1, 2027 (unchanged) |
| Enforcement status | Not addressed in detail | On hold – AG will not enforce until after rulemaking |
| Rulemaking status | Required by Jan 1, 2027 | Not yet initiated |
| xAI lawsuit | Mentioned as pending | Still pending; stay remains active |
| Health care exemption | Not mentioned | Clarified – HIPAA entities exempted |
| Liability framework | Mentioned as “developer liability shield” | Detailed – comparative fault, no indemnification for own acts |
| “Meaningful human review” | Mentioned but not defined | Defined – high bar, no defaulting to output |
| Cure period | 60 days (expires 2030) | 60 days – but AG may skip for knowing/repeated violations |
| Private right of action | Not included | Not included (unchanged) |
| Media coverage | Minimal | Still minimal – coverage in legal trade publications only |
What Has Not Changed (Beyond the Clarifications)
The following elements of the new law remain unchanged from the May 19 article:
| Element | Status |
|---|---|
| Mandatory risk assessments | REMOVED (compared to 2024 law) |
| Risk management programs | REMOVED |
| Duty of “reasonable care” | REMOVED |
| Incident reporting | REMOVED |
| Pre-decision notice | Required (effective Jan 1, 2027) |
| Post-adverse outcome disclosure (within 30 days) | Required |
| Human review on request | Required |
| Data correction process | Required |
| Record retention (3 years) | Required |
| Private right of action | NOT included |
| AG enforcement only | Yes |
Arguments For and Against (Updated for May 22)
In Favor of the Enforcement Pause and Clarifications
1. Businesses Need Certainty Before Compliance
The enforcement pause gives businesses time to understand their obligations before facing potential penalties. Without this pause, companies would have to comply with a law whose implementing rules have not yet been written.
2. The Health Care Exemption Recognizes Existing Regulation
HIPAA-covered entities are already subject to extensive federal regulation. Exempting them from duplicative state requirements reduces compliance burden without eliminating protections, as patients retain rights under federal law.
3. The Liability Framework Is Fair
A developer should not be held liable for a deployer’s misuse of AI, and a deployer cannot escape responsibility for its own discriminatory acts by blaming its vendor. The comparative fault framework allocates liability where it belongs.
4. The Definition of “Meaningful Human Review” Provides Clear Guidance
Employers now know what is expected: a trained individual with authority to override who genuinely considers the evidence. This eliminates ambiguity and provides a compliance target.
Against the Enforcement Pause and Clarifications
1. The Enforcement Pause Delays Protections
Consumers who are discriminated against by AI systems will have no recourse until after rulemaking concludes. For a job applicant denied employment based on a biased algorithm, an enforcement pause offers no remedy.
2. The Health Care Exemption Creates a Gap
While HIPAA-covered entities are regulated, the exemption removes state-level oversight for AI discrimination in health care. A patient denied coverage or treatment by an algorithmic system may have fewer avenues for appeal.
3. The Liability Framework May Be Difficult to Enforce
Determining whether discrimination resulted from developer design or deployer misuse will require complex factual investigations. The Attorney General’s office, already resource-constrained, may struggle to allocate fault.
4. The “Meaningful Human Review” Standard Is Still Vague
While the law provides a definition, it does not specify what constitutes adequate training, how much deliberation is required, or what documentation must be kept. These details await rulemaking.
Remaining Concerns (Updated for May 22)
| Concern | Status |
|---|---|
| Enforcement on hold | AG discretion – could change after rulemaking |
| Rulemaking not yet begun | No timeline for initiation |
| xAI lawsuit pending | Could invalidate or modify the law |
| Private right of action | Not included (unchanged) |
| Cure period (60 days) | May allow violators to avoid penalties |
| AG resources for enforcement | Limited – uncertain capacity |
| Consumer awareness | Minimal – most Coloradans unaware of changes |
Current Status (As of May 22, 2026)
| Element | Status |
|---|---|
| SB 26-189 signature | COMPLETED (May 14, 2026) |
| Effective date | January 1, 2027 |
| Enforcement | ON HOLD – AG will not enforce until after rulemaking |
| Rulemaking | NOT YET INITIATED (required by Jan 1, 2027) |
| xAI lawsuit | PENDING – stay remains active |
| Health care exemption | CONFIRMED – HIPAA entities exempted |
| Liability framework | CLARIFIED – comparative fault, no indemnification for own acts |
| “Meaningful human review” | DEFINED – high bar, no defaulting to output |
| Private right of action | NOT INCLUDED |
| Cure period | 60 days (expires Jan 1, 2030) |
| National media coverage | NONE as of May 22, 2026 |
What to Watch For
| Event | Expected Timing | Significance |
|---|---|---|
| xAI preliminary injunction ruling | Unknown – pending | Could invalidate or modify the law |
| Attorney General rulemaking initiation | Unknown – must be completed by Jan 1, 2027 | Will clarify key definitions and requirements |
| Enforcement begins | After rulemaking concludes | No firm date – could be well after January 1, 2027 |
| Federal preemption | Unknown | DOJ intervention signals possible federal action |
| Other state responses | Unknown | Colorado’s law may influence California, New York, Illinois |
Why This Matters to the Average Person (Updated for May 22)
The enforcement pause and liability clarifications might seem like technical legal details, but they matter for four reasons that affect every American who has ever applied for a job, a loan, an apartment, or medical care.
First, enforcement is delayed, not cancelled. The Attorney General’s commitment not to enforce until after rulemaking means consumers have no immediate recourse. But the law will eventually take effect. The question is when.
Second, employers cannot shift blame to AI vendors. The liability framework means that a company that uses an AI hiring tool cannot escape responsibility by pointing to the tool’s developer. If the tool discriminates, the employer is on the hook.
Third, health care AI is largely exempt. Hospitals and insurers covered by HIPAA have fewer obligations. A patient denied coverage by an algorithmic system may have fewer avenues for appeal than a job applicant denied employment.
Fourth, the definition of “meaningful human review” matters. A recruiter who simply clicks “accept” on an AI-generated ranking does not meet the standard. Employers must design genuine human review processes – not rubber-stamping.
The bottom line: The Colorado AI law is signed and will eventually take effect. But the enforcement pause, the health care exemption, and the liability framework all shape what compliance will actually look like. The next critical milestone is the Attorney General’s rulemaking process – which has not yet begun.
Sources
- Colorado Attorney General Phil Weiser – Statement on enforcement of SB 24-205 and SB 26-189 (as cited in legal analyses, May 2026)
- Kelley Drye & Warren LLP – Ad Law Access (May 15-22, 2026) – Analysis of signature, enforcement pause, liability provisions, and health care exemption
- Reed Smith LLP – Technology Law Dispatch (May 15-22, 2026) – Updated analysis of SB 189 provisions, “meaningful human review” definition
- National Law Review (May 1-22, 2026) – xAI lawsuit status and enforcement stay
- Colorado General Assembly (May 14, 2026) – Bill signing record for SB 26-189
- Previous article: Colorado Governor Signs Weaker AI Law – Replacing Landmark Anti-Discrimination Act (The 5 Ws, May 19, 2026) – Baseline information on law’s provisions, removal of risk assessments, and enforcement structure
The 5 W's 
Leave a comment