If you run a small business in Colorado and tuned out the AI law debate because you assumed the small-business exemption protected you, this is the post to read. On May 14, Governor Polis signed SB 26-189, which substantially rewrites the original Colorado AI Act. The new law delays the effective date from June 30, 2026 to January 1, 2027, narrows what's covered, and — importantly for SMBs — removes the under-50-employees exemption that was in the original framework.

What actually changed

The original Colorado AI Act was a sweeping framework targeting "high-risk AI systems" and "algorithmic discrimination," with broad governance and impact assessment requirements. The amended law is narrower and more targeted. It focuses on "automated decision-making technology" that processes personal data and "materially influences" a "consequential decision" — think hiring, lending, housing, insurance, healthcare access, education. Instead of broad governance obligations, the new requirements center on consumer disclosures, post-adverse-outcome explanations, correction rights, and meaningful human review.

The small-business exemption is gone

This is the part most likely to surprise local owners. The original bill carved out companies with fewer than 50 employees. The amended version does not. If your business uses AI to materially influence a consequential decision about a customer or employee, the size of your company doesn't get you out of the obligations. The law also removed a safe harbor that would have let companies claim compliance by following the NIST AI Risk Management Framework or ISO 42001. There's no longer a clean "we follow the standard" shield.

What this means in practice

For most Denver SMBs, the practical impact comes down to two questions. First: do you use AI in hiring, performance reviews, pricing decisions, lending, or any other call that materially affects someone? If yes, you'll likely owe disclosures and a human-review path by January 1, 2027. Second: do your vendors? Many SMBs aren't building AI — they're using a CRM, an ATS, or a productivity tool that quietly has AI built in. The compliance obligation may follow your vendor selection more than your own engineering.

What you have time to do

You have roughly seven months before the rules go into effect, and rulemaking is still in motion — exact obligations may shift before January. Use the time to inventory: list every place AI is making or influencing a consequential decision in your business, including features inside tools you already pay for. Ask vendors for their compliance plans in writing. Set up a basic human-review step for any consequential decision now, even before the law requires it — it's good practice regardless.

The honest caveat

The amended law is still subject to rulemaking, and "materially influence" and "consequential decision" will get sharper definitions over the next several months. This post is a starting orientation, not legal advice. For anything close to the line — especially in hiring, lending, or healthcare — talk to an attorney who's been tracking the bill, not a general-practice lawyer who hasn't.

Your next step

Block one hour this month to make the AI inventory list. That single list — what AI you use, what decisions it touches, and which vendor owns each — is the foundation of every compliance answer you'll be asked for in the next year. Owners who have it ready in October will spend December calmly. The ones who don't will not.