TL;DR: On May 14, 2026, Colorado Governor Polis signed SB 26-189, a substantial rewrite of Colorado's original AI Act that delays the effective date from June 30, 2026 to January 1, 2027 and replaces the broad "high-risk AI system" framework with a narrower regime focused on "automated decision-making technology" (ADMT). For NC small businesses with Colorado customers, the practical effect is more time and a more workable compliance target: a 40-employee carve-out, a 60-day right to cure, and targeted consumer disclosures replacing the original law's mandatory impact assessments. But Colorado is the leading edge of state AI law, and the new framework is the template other states (and federal regulators) are watching.
Key takeaway: SB 26-189 is not "the AI law went away" - it is "the AI law moved from heavyweight governance to operational obligations." NC small businesses that touch hiring, lending, housing, healthcare, education, or insurance decisions for Colorado consumers now have a clearer, narrower, and more enforceable compliance target.
Need an AI compliance roadmap? Preferred Data Corporation runs AI governance and compliance engagements for NC small businesses. Call (336) 886-3282 or request an AI readiness assessment.
What changed in Colorado AI law on May 14, 2026?
Colorado replaced its 2024 AI Act (SB 24-205) with SB 26-189, a substantially narrower law that addresses business and small-employer concerns raised during the 18-month implementation runway. Per Hunton Andrews Kurth's analysis and the Buchalter employment-focused breakdown, the key changes are:
| Element | Original SB 24-205 (2024) | New SB 26-189 (May 2026) |
|---|---|---|
| Effective date | June 30, 2026 | January 1, 2027 |
| Core concept | "High-risk AI system" | "Automated decision-making technology" (ADMT) |
| Scope trigger | AI used in consequential decisions | ADMT that processes personal data to "materially influence" a consequential decision |
| Impact assessments | Broad, mandatory annual assessments | Removed |
| Risk management program | Mandatory documented program | Removed |
| Algorithmic discrimination cause of action | Created | Removed (no private right of action under the law) |
| Consumer disclosures | Required pre-decision | Required pre-decision and post-adverse-outcome |
| Human review right | Not explicit | Required where technically feasible |
| Right to correct inaccurate data | Limited | Explicit consumer right |
| Small employer carve-out | None | Carve-out for employers with ≤40 employees (conditional) |
| Right to cure | Not explicit | 60-day right to cure (sunsets Jan 1, 2030) |
| Rulemaking | Permissive | Mandatory; must complete by Jan 1, 2027 |
The net effect for most NC SMBs: the compliance lift is materially smaller, the deadline is 6 months further out, and the scope is much more clearly defined.
Why does Colorado SB 26-189 matter for NC small businesses?
Three reasons, in order of likelihood for any given NC SMB:
1. You have Colorado customers, candidates, or employees
The law applies to ADMT decisions about Colorado consumers, not just Colorado-headquartered businesses. An NC manufacturer with one Colorado customer, an NC professional services firm with Colorado job applicants, or an NC SaaS vendor with Colorado users is in scope if their AI tools influence consequential decisions for those individuals.
2. Colorado is the leading edge of state AI law
Per the Consumer Finance Monitor analysis, Colorado's new ADMT framework is being closely watched by other states drafting AI laws and by federal regulators considering harmonized approaches. The compliance architecture you build for Colorado will likely satisfy a significant fraction of the state laws coming online in 2027-2028.
3. AI vendor management is now a discrete compliance domain
SB 26-189 places obligations on both developers and deployers of ADMT, which means an NC SMB using a vendor's AI hiring tool, customer scoring tool, or pricing tool needs to confirm in writing that the vendor supports the disclosures, human review, and correction rights the law requires. This is a new line item in vendor due diligence.
What is an "automated decision-making technology" (ADMT) under SB 26-189?
SB 26-189 defines ADMT as technology that processes personal data to make or materially influence a "consequential decision." Per Ogletree's compliance breakdown, a consequential decision is one that has a material, legal, or similarly significant effect on the consumer in domains including:
- Employment opportunities (hiring, compensation, termination)
- Credit and lending decisions
- Housing decisions (rental, purchase, insurance)
- Healthcare access or treatment recommendations
- Education enrollment or evaluation
- Insurance underwriting and pricing
- Essential government services
The "materially influence" standard captures both fully automated decisions and AI-assisted decisions where a human makes the final call but is meaningfully informed by AI output.
Does the 40-employee carve-out apply to my NC small business?
The carve-out generally exempts employers with 40 or fewer employees from "deployer" obligations under the statute, but per the Buchalter employer-focused analysis, there are important conditions. The carve-out narrows or disappears if:
- You use ADMT to materially influence hiring and compensation decisions
- You operate in healthcare, financial services, insurance, or another sector with sector-specific AI rules
- You are a developer (not just a deployer) of ADMT
- You aggregate to more than 40 employees across related entities
For NC small businesses near or above the 40-employee threshold, the safer planning posture is to assume the carve-out does not apply and build the consumer disclosure and human-review baseline regardless. The cost is modest, and it future-proofs against growth and against other states (most of which do not have similar carve-outs).
What are the core compliance obligations under SB 26-189?
For deployers (the NC small business using the AI tool), the core obligations per STACK Cybersecurity's compliance guide and the Hunton analysis are:
Pre-decision consumer notice
Before using ADMT to materially influence a consequential decision, provide the consumer with a clear and conspicuous notice describing:
- That ADMT is being used
- The categories of personal data being processed
- The purpose and broad logic of the system
- The consumer's rights to human review and to correct data
Post-adverse-outcome explanation
Within 30 days of an adverse outcome (denial, termination, declined offer), provide a plain-language description of:
- The principal factors that contributed to the decision
- The data sources the decision relied on
- The consumer's right to correct inaccurate data and request human review
Right to inspect, correct, and obtain human review
Provide consumers with the operational ability to:
- Inspect the personal data the ADMT relied on
- Correct factually inaccurate personal data
- Request meaningful human review of an adverse decision (where technically feasible)
Vendor and contract management
If you deploy a vendor's ADMT, your contract should require the vendor to support the above operations and to notify you of relevant changes to the model or training data.
Get an AI compliance assessment →
What is the practical NC small business AI compliance roadmap for the rest of 2026?
A practical six-month roadmap that gets an NC SMB to a defensible posture before the January 1, 2027 effective date:
| Month | Action | Owner |
|---|---|---|
| June 2026 | Inventory all AI tools in use across HR, marketing, finance, operations | Operations lead + IT partner |
| July 2026 | Categorize each tool: ADMT vs. non-ADMT; in-scope vs. out-of-scope domain | Legal advisor or compliance lead |
| August 2026 | Draft AI acceptable use policy and pre-decision notice templates | Compliance lead with sample templates |
| September 2026 | Send vendor questionnaires to each in-scope ADMT vendor | Procurement / IT |
| October 2026 | Configure human-review workflows for adverse-outcome cases | Functional managers (HR, ops) |
| November 2026 | Train staff on consumer rights, notice timing, and review escalation | HR / compliance lead |
| December 2026 | Run a tabletop exercise: a Colorado consumer requests human review | Operations + leadership |
| January 1, 2027 | Effective date - notices, reviews, and corrections live | All |
For an NC small business doing this work in-house, expect 80-200 hours of effort across the period. A managed AI compliance engagement typically compresses the timeline and reduces the rework cost.
How does SB 26-189 compare to other state and federal AI rules?
Colorado is the most concrete, but it sits in a broader patchwork:
| Jurisdiction | Status as of May 2026 | NC SMB relevance |
|---|---|---|
| Colorado (SB 26-189) | Signed May 14, 2026; effective Jan 1, 2027 | Direct if Colorado consumers in scope |
| Texas (TRAIGA, RAISE) | Effective various 2026 dates; safe harbor for NIST AI RMF adoption | Increasingly common compliance target |
| California (SB 53, SB 942, AB 2013) | Various effective dates 2025-2026 | High if California customers in scope |
| EU AI Act | Full enforcement Aug 2026 | Direct if EU customers; foundational standard |
| NIST AI RMF | Voluntary framework | De facto compliance target across multiple state laws |
| Federal (executive orders, FTC) | Active enforcement; no comprehensive law | FTC Operation AI Comply continues |
The single highest-leverage move for an NC SMB is adopting NIST AI RMF and ISO 42001 as the operating framework. Most state laws (including Colorado SB 26-189) recognize these frameworks as evidence of reasonable compliance.
What is the role of the 60-day right to cure?
SB 26-189 includes a 60-day right to cure that lets businesses remediate violations before facing enforcement action. The provision is meaningful but expires January 1, 2030, which means:
- For 2027-2029, an NC SMB that receives a notice of violation has 60 days to fix the underlying issue without penalty
- After January 1, 2030, violations can be enforced directly without the cure window
- The cure right is operationally significant only if you have already built a remediation playbook; without one, 60 days is not much time
How does Preferred Data Corporation help NC small businesses with AI compliance?
We run AI compliance assessments (ADMT inventory, scope mapping, gap analysis against SB 26-189 and NIST AI RMF), implement AI governance programs (policies, vendor management, human-review workflows), and provide ongoing managed AI compliance support. Most NC SMBs do not need a full-time AI compliance officer; they need a partner who tracks state and federal AI rules and operationalizes them in proportion to business risk.
Frequently Asked Questions
When does Colorado SB 26-189 take effect?
January 1, 2027, a six-month delay from the original SB 24-205 effective date of June 30, 2026. The Colorado Attorney General must complete mandatory rulemaking before that date.
Does Colorado SB 26-189 apply to NC small businesses?
Yes, if your business uses automated decision-making technology to materially influence consequential decisions about Colorado consumers (customers, candidates, employees, applicants). Physical location in NC does not exempt the business; the trigger is the consumer's state and the nature of the decision.
What is the difference between a "developer" and a "deployer" under SB 26-189?
A developer designs, codes, or substantially modifies the ADMT. A deployer uses the ADMT in their business operations to make or influence consequential decisions. Most NC SMBs are deployers (using a vendor's AI hiring tool, scoring tool, or pricing tool), not developers. Deployer obligations focus on consumer notice, human review, and data correction; developer obligations include documentation and support for deployer obligations.
What happens if my NC small business does not comply by January 1, 2027?
Until January 1, 2030, you have a 60-day right to cure after notice of violation. After 2030, enforcement is direct. The Colorado Attorney General has exclusive enforcement authority; there is no private right of action under SB 26-189. Penalties are not yet finalized pending rulemaking but are likely to follow Colorado's consumer protection penalty framework.
Should I still adopt NIST AI RMF if I am below the 40-employee threshold?
Yes. NIST AI RMF is increasingly the de facto AI governance baseline across state laws and customer due diligence questionnaires. Adopting it costs little and creates a defensible posture for current Colorado obligations, future state laws, and customer/vendor questions. See our Colorado AI Act + EU AI Act compliance playbook for the framework alignment details.
How much does AI compliance cost for an NC small business?
A defensible AI compliance program for a 50-200 employee NC SMB runs $15,000-$50,000 in first-year implementation cost (inventory, policy, vendor management, human-review workflows, staff training) plus $1,000-$5,000 per month ongoing for vendor monitoring, policy updates, and incident support. Costs scale with the number of in-scope ADMT systems, not headcount.
What is the relationship between SB 26-189 and AI hiring tools?
AI hiring tools (resume screening, candidate scoring, automated interview analysis) are explicitly in scope as ADMT influencing employment decisions. NC SMBs using AI hiring tools for Colorado-based applicants must provide pre-decision notice, support post-adverse-outcome explanation, and offer meaningful human review on adverse outcomes. The 40-employee carve-out narrows or disappears for hiring use cases per the statute's conditions.
Related Resources
- Colorado AI Act + EU AI Act compliance playbook
- AI governance for small business risk management
- AI agent ROI reality check for NC small business
- AI transformation services for NC businesses
- Managed IT services for North Carolina businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request an AI compliance assessment.