State AI Law Is the Only AI Law. Everywhere It's Crumbling.

Colorado was the first U.S. state to pass a comprehensive AI consumer protection law. As of May 2025, it is also the first to gut one.

The Colorado legislature has passed Senate Bill 189, a stripped-down successor to the 2024 Colorado AI Act (SB24-205). Where the original law imposed proactive obligations on both AI developers and deployers — risk management programs, annual impact assessments, anti-discrimination duties, and meaningful appeal rights — the new bill reduces the legal floor to a single disclosure obligation: companies must tell you, after the fact, when an AI system denied you a loan, a job, or housing. An opportunity to appeal survives. The rest is gone. Governor Jared Polis is expected to sign the bill; the effective date has been pushed to January 2027.

The Colorado retreat is not an isolated case. In California, Texas, and New York, AI regulation bills have been vetoed, gutted, or diluted beyond operational recognition. The pattern is now clear enough to plan around.

What Colorado’s 2024 AI Act Actually Required

SB24-205, signed May 17, 2024, was substantive law. For developers, it required reasonable care to prevent algorithmic discrimination, disclosures to deployers about high-risk systems, and a 90-day window to report discovered discrimination risks to the attorney general. For deployers, it required written risk management policies for high-risk AI, annual impact assessments, consumer notification when AI made consequential decisions, and rights for consumers to correct data and appeal adverse outcomes.

The law covered AI used in consequential decisions: employment, housing, education, financial services, healthcare. The Colorado AG held exclusive enforcement authority; violations were treated as deceptive trade practices.

That framework is now largely repealed by SB 189.

What SB 189 Leaves Standing

Under the version that passed, the only remaining obligation for companies using AI in covered decisions is notification: tell the affected person, after the denial has happened, that an AI system was involved. An appeal pathway is preserved. The proactive duties — impact assessments, risk programs, deployer documentation, developer disclosure — are gone.

To be precise about what this means operationally: a company may deploy an AI system that denies loan applications, screens out job candidates, or rejects housing applicants without any legal requirement to assess whether the system discriminates, document how it works, or verify its outputs before deployment. The only exposure is a post-hoc disclosure obligation after the adverse decision.

The Broader Retreat

Colorado’s rollback is the most dramatic because it involves amending existing law, but it sits alongside a series of similar legislative outcomes.

California. Governor Gavin Newsom vetoed SB 1047 in September 2024. The bill would have required developers of frontier AI models to implement safety protocols, conduct pre-deployment risk assessments, and maintain shutdown capabilities. After passing both chambers, it died on Newsom’s desk. The governor cited concerns that the bill regulated systems based on cost thresholds rather than actual risk.

Texas. The Responsible Artificial Intelligence Governance Act entered the session as a 43-page bill with duty-of-care requirements for high-risk AI systems — language borrowed closely from the EU AI ↗ Act framework. Before Governor Abbott signed it, the high-risk system obligations and duty-of-care provisions were removed. The signed version applies primarily to state agencies, not to private companies.

New York. Governor Kathy Hochul signed the RAISE Act, but only after amendments reduced maximum penalties from $30 million to $3 million and narrowed applicability to companies with annual revenues exceeding $500 million. Smaller AI deployers are now outside the statute’s reach.

Why This Matters for Compliance Teams

The immediate operational consequence is that organizations deploying AI systems in consequential U.S. decision-making contexts face substantially reduced state-law compliance obligations compared to what the regulatory environment looked like 18 months ago. The Colorado law that was on many compliance roadmaps for a February 2026 effective date now requires only a disclosure workflow, not a risk governance program.

That is not, however, a clean bill of health. Several risks remain live:

Federal enforcement. The FTC retains authority under Section 5 of the FTC Act to treat biased or deceptive AI decision-making as an unfair or deceptive practice. The agency has used this authority in algorithmic enforcement actions and has not retreated from AI oversight. HHS, EEOC, and banking regulators have all issued guidance signaling interest in AI decision systems in their sectors.

EU AI Act ↗. For organizations with EU market operations, the Artificial Intelligence Act (Regulation (EU) 2024/1689) is not optional and is not retreating. High-risk AI systems as defined in Annex III — including AI used in employment decisions, credit scoring, and access to essential services — face conformity assessment obligations, registration requirements, and post-market monitoring duties that are substantially more demanding than what any U.S. state law enacted.

Tort and civil rights exposure. Adverse AI decisions affecting protected classes remain subject to civil rights litigation under Title VII, the Fair Housing Act, and the Equal Credit Opportunity Act regardless of what state legislatures do with AI-specific bills.

Regulatory arbitrage scrutiny. Several civil society organizations have noted that weakened state AI laws may trigger closer scrutiny from federal agencies watching for systemic harms that no regulator is covering.

What to Do This Quarter

Legal / Compliance. Audit which AI governance obligations on your roadmap were Colorado SB24-205-driven. Revise the scope and timeline accordingly — but do not retire the underlying risk documentation, since that work supports EU AI Act ↗ conformity assessment and FTC litigation readiness.

GRC / ML Platform. Maintain the impact assessment process as an internal control even without a legal trigger. If your system makes credit, employment, or housing decisions, an undocumented bias event is a material risk whether or not a state law compels the assessment.

Legal. Review Colorado SB 189’s notification and appeal requirements as currently drafted. If you use AI in covered decisions, a consumer disclosure workflow is still mandatory under the law Polis is expected to sign; build it before January 2027.

Policy Function (if you have one). Monitor whether the federal AI policy environment shifts. EO 14110 was rescinded; OMB M-24-10 remains in force for federal agencies but does not bind private companies. The window for federal preemption legislation — which would either set a floor or a ceiling for state laws — is active in the current Congress.

The 2024 cycle of state AI legislation looked, briefly, like the beginning of a coherent compliance regime. The 2025 cycle looks like a controlled demolition of it. The only meaningful external pressure on private-sector AI governance in the U.S. domestic market right now comes from federal sector-specific regulators and the courts — neither of which moves as fast as a legislature that changes its mind.

Sources

Hard Reset Media — “State AI Law Is the Only AI Law. Everywhere It’s Crumbling.” Primary reporting on Colorado SB 189 and the broader pattern of state AI bills weakened or vetoed in 2024–2025. Covers Colorado, California, Texas, and New York in detail.

Colorado General Assembly — SB24-205: Consumer Protections for Artificial Intelligence The full text of Colorado’s 2024 AI Act, signed May 17, 2024. Establishes the original duty-of-care, impact assessment, and consumer appeal requirements that SB 189 partially repeals. Official legislative record.

California Legislature — SB 1047: Safe and Secure Innovation for Frontier Artificial Intelligence Models Act Legislative history showing passage of both chambers (August 28–29, 2024) and subsequent enrollment before Governor Newsom’s veto. Official record of the bill’s scope and status.

Related across the network

• When Prompt Injection Becomes a Regulatory Failure: Liability Surfaces for Foundation Model Deployers ↗ — promptinjection.report
• EU AI Office Enforcement Priorities for 2026: What the Signaling Says ↗ — aiprivacy.report
• EU AI Act Article 52: Foundation Model Disclosure Obligations — A Provider’s Checklist ↗ — aiprivacy.report
• AI Security Audit Frameworks Compared: OWASP LLM Top 10, MITRE ATLAS, and More ↗ — bestaisecuritytools.com
• EU AI Act Article 50: Transparency Obligations for AI Deployers and Providers ↗ — aiprivacy.report