AI Regulatory Roundup: Recent Developments in Colorado, Connecticut, and California
State legislatures continue to move aggressively on artificial intelligence regulation in 2026, with Colorado, Connecticut, and California each advancing significant and distinct AI governance frameworks. For compliance professionals navigating this patchwork, these developments represent both a pause in some obligations and a deepening of others. Here’s what you need to know.
Colorado: Enforcement Halted, but a Legislative Overhaul Is in the Works
Colorado’s landmark AI law, SB24-205, enacted in 2024, was set to become the first comprehensive state-level AI regulatory regime targeting “high-risk artificial intelligence systems.” That timeline has been upended by litigation and legislative revision.
Enforcement Stay. On April 27, 2026, the U.S. District Court for the District of Colorado granted a joint motion in x.AI LLC v. Weiser to suspend case deadlines and—critically—stay enforcement of the Colorado AI Act. Under the court’s order, the Colorado AG “shall not initiate enforcement, including but not limited to the initiation of an investigation, for alleged violations of [the Colorado AI Act] (or any legislation replacing or amending [the Colorado AI Act] enacted during this legislative session)” until 14 days after the court rules on xAI’s forthcoming preliminary injunction motion. That motion, in turn, will not be filed until 28 days after AG Weiser completes rulemaking on the Colorado AI Act or any successor statute enacted this session. AG Weiser has also indicated he does not intend to promulgate rules until the legislative session concludes, further extending the practical timeline before enforcement could resume.
The Legislative Rewrite: Senate Bill 26-189. While enforcement is paused, Colorado lawmakers have introduced SB 26-189, which would repeal and replace the Colorado AI Act with a new framework governing automated decision-making technology (“ADMT”) used to materially influence “consequential decisions.” The shift in terminology—from “high-risk artificial intelligence systems” to “ADMT”—is a significant conceptual pivot.
Under SB26-189 as introduced, the compliance landscape changes significantly:
Developer duties would center on providing deployers with technical documentation describing the covered ADMT’s intended uses, categories of training data (to the extent known), known limitations and inappropriate uses, and instructions for appropriate use and human review. Developers would also be required to notify deployers of material updates and retain records for at least three years.
Deployer duties shift toward a disclosure-and-rights model: point-of-interaction notice to consumers, a plain-language description of the ADMT’s role within 30 days of an adverse outcome, and a process for consumers to request human review and correction of factually incorrect personal data.
What’s gone. Notably, SB26-189 would remove the Colorado AI Act’s requirements for deployer risk management programs aligned to industry standards, extensive risk assessments, and the duty to use “reasonable care to avoid algorithmic discrimination.” The replacement bill pivots from a comprehensive risk-management regime (aligned with the EU AI Act) to a more targeted documentation, notice, and rights-based framework (with similarities to recent CCPA regulations on automated decisionmaking technology).
Enforcement structure. The AG remains the sole public enforcer, with enforcement channeled through the Colorado Consumer Protection Act (deceptive trade practices). A 60-day notice-and-cure period applies before the AG may initiate an action, absent knowing or repeated violations. SB26-189 does not create a new private right of action.
Connecticut: A Sweeping Approach to AI Governance
Connecticut is advancing one of the most comprehensive omnibus AI bills in the country with Senate Bill 5, “An Act Concerning Online Safety.” On Friday, May 1, 2026, SB 5 cleared both chambers of the Connecticut legislature and is awaiting the Governor’s signature. Far from a single-issue statute, SB 5 addresses companion chatbots, employment-related automated decisions, synthetic digital content, safe harbors, and more.
Anti-Discrimination Integration. SB 5 also amends Connecticut’s existing anti-discrimination statutes to expressly cover the use of automated employment-related decision processes, making it a discriminatory practice to use such a process in a manner that has the effect of discrimination on the basis of protected characteristics. Courts and the Connecticut Commission on Human Rights and Opportunities would consider evidence (or lack thereof) of anti-bias testing or similar proactive efforts in assessing liability.
Synthetic Digital Content Labeling. Starting October 1, 2027, developers of AI systems capable of generating synthetic digital content—defined as any digital content produced or manipulated by an AI system—must ensure outputs are marked and detectable as AI-generated, in a manner that is detectable by consumers and consistent with recognized technical standards.
Automated Employment-Related Decision Processes. Effective October 1, 2026 (with substantive obligations kicking in October 1, 2027), the bill creates a dedicated regulatory framework for automated employment-related decision processes (“AEDPs”). Deployers using AEDPs must disclose to employees and applicants that they are interacting with such a process, including a description of its “general nature.” Before any employment-related decision is made, deployers must provide written notice disclosing deployment of the process, its purpose, opt-out rights under Connecticut’s data privacy law, and contact information. Developers must also provide deployers with all information necessary for deployers to comply with the above requirements.
If an automated process generates an adverse employment decision, the deployer must provide a high-level statement disclosing the principal reason(s) for the decision, including the degree to which the automated output contributed, the type of data processed, and the data source. Deployers must additionally offer an opportunity to examine and correct personal data not provided by the individual.
AI Companion Chatbot Safety. Effective January 1, 2027, SB 5 would require operators of AI companions—defined as AI models that simulate human conversation through text, audio, or video—to implement protocols to detect and address user expressions indicating a risk of suicide, self-harm, or imminent violence. Operators must also provide clear notice to users that they are communicating with AI at the beginning of each interaction (at minimum once daily) and hourly during continuous interactions. The AG would enforce these provisions, with civil penalties of up to $15,000 per day per violation.
Also effective January 1, 2027, the bill prohibits operators from providing an AI companion to users under 18 if it is reasonably foreseeable that the AI is capable of:
encouraging self-harm, violence, or disordered eating;
offering unregulated mental health services;
prioritizing validation of the user’s beliefs, preferences or desires over factual accuracy or the user’s safety;
engaging in romantic or sexually explicit interactions; or
deploying manipulative engagement techniques for the purpose of maximizing the user’s engagement time with the AI companion.
Violations carry civil penalties of up to $25,000 per violation, and notably, the bill also creates a private right of action for aggrieved users (or their parents), including actual and punitive damages.
AI Safe Harbor Program. Effective October 1, 2026, the bill establishes a voluntary safe harbor mechanism: AI users may submit proposed safe harbor programs, which can be administered by third parties, to the Department of Consumer Protection for approval. Participating AI users deemed compliant with approved program guidelines would be “deemed to be in compliance” with Connecticut’s data privacy and consumer protection statutes. Under the program, approved entities will be given a ten-day cure period to address any alleged violations of the Connecticut Data Privacy Act or Unfair Trade Practices Act. This provision offers a potentially significant compliance pathway for companies willing to submit to independent assessment and annual review.
California: AI Governance Takes Shape Through Political Competition
California’s AI regulatory landscape continues to evolve on multiple fronts—through enacted legislation, a pending ballot measure that could reshape state AI oversight, and a gubernatorial race in which AI governance has become a central policy issue. In January, we wrote about SB 243—California’s now effective “companion chatbot” law. The law requires operators of AI systems that provide adaptive, human-like responses and sustain a relationship across multiple interactions to notify users when they are interacting with AI and implement additional safeguards for minors, including recurring reminders every three hours that the user is interacting with a chatbot.
The Gubernatorial AI Policy Debate. On May 4, 2026, gubernatorial candidate Xavier Becerra released an 11-point AI policy plan framing California as the “gold standard” for AI policy, positioning it against what he calls the Trump administration’s “abdicated federal responsibility on AI governance.” Becerra’s platform calls for:
Expanding AI literacy through schools, libraries, and community colleges;
Deploying AI within state government for permitting, benefits delivery, and public health;
Continuously tracking AI’s large-scale economic effects on employment;
Funding CalCompute (a publicly owned cloud computing platform) to provide equitable access to AI infrastructure;
Enforcing and strengthening California’s existing AI standards;
Protecting children from AI-driven manipulative design and suicidal content;
Pursuing transparency and human review standards for high-stakes automated decisions affecting livelihoods, health, housing, or freedoms; and
Pushing for a national AI framework, arguing California must set the standard in the absence of federal leadership.
The plan reflects themes already embodied in existing California law and pending legislation, particularly around child safety, workforce impact, and transparency in automated decision-making.
Compliance Takeaways
Monitor Colorado’s legislative session closely. The enforcement stay buys time ahead of the Colorado AI Act’s current June 30 effective date. Colorado’s legislative session ends on May 13, 2026, and while SB 26-189 was only introduced on May 1st, the bill is moving quickly and may be raised for a vote before the session’s end. If enacted, SB 26-189 would take effect on Jan. 1, 2027. However, as noted above, the law would not be enforced until AG Weiser has concluded rulemaking.
Prepare for Connecticut’s multi-layered framework. SB 5 is a broad omnibus AI legislative package that introduces new employment-related AI obligations, chatbot safety rules, synthetic content labeling rules, safe harbor programs, and anti-discrimination provisions with varied effective dates and compliance mechanics. Companies with Connecticut operations, particularly those deploying automated tools in employment or consumer-facing AI, should begin evaluating internal compliance programs against the bill’s requirements.
Watch for Regulatory Action in California. With existing chatbot obligations in effect, a pending ballot measure, and a governor’s race that has elevated AI governance to a central policy platform, California remains the state most likely to set the pace for national AI regulation.
Across all three states, the clearest compliance through-line remains transparency, documentation, human review, and consumer rights in high-stakes automated decisions. Organizations building around those core principles will be best positioned regardless of which specific framework ultimately takes effect in its final form.