The Institute for AI Measurement Science logo
The Institute for
AI Measurement Science
Back to all articles
Research

Colorado Just Changed Its AI Law. The Compliance Work Did Not Change.

Colorado just repealed its AI governance law. Here is what your compliance roadmap still needs.

February 19, 2026
6 min read
Framework Translation: Colorado just changed its AI law
1 / 7

Colorado just repealed the most comprehensive AI governance law in the United States. On May 14, Governor Polis signed SB 26-189. The law that required deployers to build NIST AI RMF or ISO 42001 aligned risk management programs is gone. Replaced with a narrower notice-and-disclosure framework effective January 1, 2027.

If your compliance roadmap was built around Colorado's rebuttable presumption pathway—that pathway no longer exists under state law.

What Does Not Change

  • NIST AI RMF alignment still satisfies EU AI Act risk management requirements
  • ISO 42001 still appears in enterprise procurement and vendor diligence checklists
  • Impact assessments are still required for EU AI Act high-risk systems
  • Evidence of ongoing governance is still the first thing auditors ask for
  • Your enterprise buyers still want proof you govern your AI

Laws will keep moving. The evidence infrastructure is what survives across all of them.

The Legal Stake

Deployers who align to these frameworks produce a defensible position under EU AI Act, enterprise procurement, and emerging US state law—regardless of which statute governs.

The standard is not compliance with one law. It is evidence of a working governance system.

Evidence is what auditors verify. Not framework selection.

The Six Controls

Six controls satisfy all three regimes: Colorado SB 26-189, NIST AI RMF 1.0, and ISO/IEC 42001:2023.

Controls 1–2: Risk Policy + Impact Assessment

Control 1: Risk management policy (NIST AI RMF GOVERN 1.1–1.7, ISO 42001 Clauses 5–6)

Control 2: Impact assessment (NIST AI RMF MAP 1.1–5.2, ISO 42001 Annex A.6.2)

Evidence needed: Dated policy doc + per-system assessment + exec sign-off log

Controls 3–4: Annual Review + Notification

Control 3: Annual deployment review (NIST AI RMF MANAGE 4.1, ISO 42001 Clause 9.2)

Control 4: Consumer notification (NIST AI RMF GOVERN 5.2, ISO 42001 Annex A.7.4)

Evidence needed: Annual audit report + notification log per consequential decision

Controls 5–6: Monitoring + Documentation Handoff

Control 5: Discrimination monitoring (NIST AI RMF MEASURE 2.11, ISO 42001 Annex A.8.4)

Control 6: Developer doc handoff (NIST AI RMF MANAGE 3.2, ISO 42001 Annex A.6.2.5)

Evidence needed: Bias monitoring dashboard + versioned model cards per deployment

The Takeaway

The frameworks describe what to do.

Evidence is what auditors verify.

The same documentation satisfies ISO 42001, EU AI Act Article 12, and enterprise procurement requirements across every major buyer.

One artifact. Every deal.

This is the infrastructure IAIMS is building - open schemas, control-to-evidence maps, and documentation templates that produce defensible records regardless of jurisdiction.

Tags:
Colorado AI LawNIST AI RMFISO 42001Compliance

Related Articles

Research

The EU AI Act Just Moved the Clock

The EU just gave high-risk AI deployers 16 extra months. That is not 16 extra months of breathing room. The compliance architecture did not move. The clock did.

Announcements

Introducing IAIMS: Building the Evidence Layer for AI Governance

Why measurement science matters for responsible AI deployment, and what we are building to make it accessible.

Stay Updated

Get notified about new articles on AI measurement science and governance.

Get in TouchBrowse All Articles