Colorado's Horizontal AI Law Is Stayed. The Procurement Artifacts Don't Disappear; They Migrate to the Sector Regulator.
Colorado's Senate Bill 24-205 was supposed to be the first horizontal AI law in the United States to actually bind enterprises. It is now stayed pending litigation, the Department of Justice has intervened on the plaintiff's side, and the replacement bill introduced May 1 strips out the entire developer-deployer documentation regime. For the procurement teams that staffed up to comply, the operative work is not whether to disband the workstream; it is mapping which sector regulator each artifact now reports to.
April 9: xAI Files Suit
On April 9, xAI filed x.AI LLC v. Weiser in the U.S. District Court for the District of Colorado, a six-count complaint alleging First Amendment compelled-speech violations, dormant Commerce Clause extraterritoriality, Fourteenth Amendment due-process vagueness, and an Equal Protection challenge to the law's diversity carve-out. The complaint frames the statute as "an effort to embed the State's preferred views into the very fabric of AI systems." Whatever one thinks of that framing, the procedural posture matters: the case landed in front of Chief Judge Daniel D. Domenico with full constitutional artillery on day one, which is the posture that produces fast standstills.
April 24: DOJ Intervenes
Two weeks later, the Civil Rights Division of the U.S. Department of Justice filed a Complaint in Intervention, the first time the federal government has directly intervened to challenge a state AI law. Chief Judge Domenico granted intervention the same day. Within hours, Colorado Attorney General Phil Weiser agreed to a standstill: no rulemaking until the legislative session ends, and no enforcement until two weeks after the court rules on xAI's preliminary injunction motion, per terms reported by StateScoop. xAI in turn committed to filing the preliminary injunction motion within 28 days of Colorado adopting either rules or replacement legislation.
April 28: The Stay Is Formalized
Magistrate Judge Cyrus Y. Chung issued the minute order formalizing the stay on April 28. At this point, the developer-deployer documentation flow-down required by SB 24-205, the three-year system record retention and the pre-deployment, annual, and post-substantial-modification impact assessments, the NIST AI RMF or ISO/IEC 42001 risk-management policy mandate, and the AG disclosure requirement, are all paused. The affirmative defense for NIST-aligned programs sits in the same legal limbo as the obligations it was designed to protect against. The covered consequential decisions, education, employment, financial services, essential government services, healthcare, housing, insurance, and legal services, retain their statutory definition but no enforcement mechanism behind it.
May 1: The Replacement Bill Drops
On May 1, Senator Robert Rodriguez, Senate President James Coleman, House Majority Leader Monica Duran, and Assistant House Majority Leader Jennifer Bacon introduced SB26-189, a replacement bill that retains only consumer notification when AI is a substantial factor in a consequential decision plus the right to appeal that decision. "This one is more of a notice bill," Rodriguez told the Colorado Sun. The 28-day litigation clock attaches to whichever Colorado adopts first, replacement legislation or rules under the original statute, which means the operative date for buyers tracking this is the bill's session path through the Colorado General Assembly, not the federal docket.
What Migrates and Where
The procurement artifacts SB 24-205 was going to require, model cards, training-data summaries, evaluation methodology documentation, foreseeable-use and harmful-use disclosures, dataset cards, and impact assessments, are largely the same artifacts that sector regulators already expect from regulated buyers. What changes is which regulator binds you and what contractual leverage you keep when the state-law backstop is gone. This is a U.S.-specific dynamic; the horizontal regime path the EU is still walking under the AI Act does not face the same DOJ-backed challenge, so EU obligations remain a separate compliance track.
Insurance carriers in any of the roughly 24 states that have adopted the NAIC Model Bulletin on AI Use by Insurers carry the same diligence obligation for third-party AI vendors as for internal systems under the NAIC's market-conduct-exam look-back regime, and the NAIC Third-Party Data and Models (H) Working Group is drafting a vendor registry framework that will sit on top of that obligation. Mortgage originators selling loans to Fannie Mae or Freddie Mac face the GSE AI governance mandate that routes through Selling Guide representations and warranties, where vendor and subcontractor accountability flows through loan-level repurchase risk rather than through any horizontal antidiscrimination statute. Healthcare entities subject to the HHS OCR Section 1557 AI nondiscrimination final rule, whose affirmative requirements went effective May 1, 2025, are responsible for discrimination produced by third-party patient-care decision-support tools; the documentation flow-down is contractual rather than statutory, but the regulator expects to see it in audit. Employers operating in New York City face annual bias audits and candidate-notice obligations under Local Law 144, with DCWP enforcement having tightened after the December 2025 NY State Comptroller audit and penalties running $500 to $1,500 per day per violation.
For multi-state operators, the more durable horizontal floor is the Texas Responsible AI Governance Act, HB 149, effective January 1, 2026. TRAIGA is intent-based rather than outcome-based, with civil penalties of $10,000 to $12,000 per curable violation, $80,000 to $200,000 per uncurable violation, and $2,000 to $40,000 per day for continuing violations, and AG-exclusive enforcement authority. The DOJ Equal Protection theory that landed Colorado in standstill does not reach an intent-based statute cleanly, which means TRAIGA is structurally more litigation-resistant than SB 24-205 ever was. California adds two more rows to the matrix: SB 942's effective date moved to August 2, 2026, and AB 2013 training-data transparency went effective January 1, 2026.
What Procurement Should Do This Quarter
SB26-189 erases the developer-deployer documentation flow-down that Colorado was going to impose by statute. The sector regulator still expects model cards, training-data summaries, and evaluation methodology in audit, so procurement now has to require those artifacts contractually rather than rely on the vendor producing them under state law. That is a vendor agreement amendment cycle, not a compliance-program rebuild, and the contractual regime needs to carry the auditor row that procurement now has to maintain alongside the artifact requirements, because SOC 2 attestations alone do not substitute for AI-specific diligence.
The buyer-side principle for the rest of 2026 and through 2027 is straightforward: any state attempting SB 24-205-style horizontal regulation now faces a DOJ-backed challenge with a same-day-intervention, two-week-standstill blueprint already on the docket. Build vendor contracts and procurement processes against the sector floors that already bind, not against the state ceiling that may not survive the next preliminary injunction hearing. The artifacts migrate cleanly; the regulator does not. Get the contractual documentation flow-down language into the next vendor renewal cycle, treat NAIC, OCR Section 1557, FHFA, NYC Local Law 144, and TRAIGA as the binding floor, and track SB26-189 through the Colorado session because that is the bill that controls the 28-day clock, not the docket.
