Take Two (AI) Bills And Call Me In the Morning

Two major state artificial intelligence laws signed in May 2026 mark a significant escalation in AI compliance obligations for businesses that develop or deploy AI systems. Connecticut’s Governor Lamont is expected to sign SB5 very soon, while Governor Polis signed Colorado’s SB 26-189 on May 14, 2026, overhauling and replacing the state’s landmark 2024 Colorado AI Act. Together, these laws reinforce and deepen the fragmented state AI compliance landscape I discussed during an April 16, 2026, MEF Presentation, and impose concrete, near-term obligations that companies operating in the US cannot ignore.

Connecticut SB5: A Multi-Front AI Statute

Passed by the Connecticut legislature on May 1, 2026, SB5 bundles several distinct AI regulatory frameworks into one statute. Unlike broad governance statutes that impose overarching risk-management duties, SB5 takes a targeted approach, creating specific compliance obligations across six principal areas.

AI Companion Bots

Effective January 1, 2027, Connecticut becomes the seventh state to regulate AI companion bots, joining New York, California, Washington, Oregon, Idaho, and Iowa. SB5’s definition of “AI companion” is particularly broad and will cover any AI model that “(i) communicates with individuals in natural language, and (ii) simulates human conversation and interaction through text, audio or video.” Exclusions exist for bots used by businesses solely for internal purposes, customer service, or employee productivity, and for systems primarily designed to provide efficiency, research, or technical assistance.

All operators must include a protocol to detect expressions of suicide, self-harm, or imminent violence, refer users to appropriate resources including the 9-8-8 National Suicide Prevention Lifeline, and provide clear and conspicuous notices that the user is communicating with an AI and not another individual. The Attorney General is empowered to enforce these requirements with civil penalties of up to $15,000 per day per violation.

Additionally, SB5 prohibits operators from providing AI companions to users under 18 if it is “reasonably foreseeable” that the companion is capable of: (i) encouraging self-harm, suicidal ideation, violence, disordered eating, or unlawful substance use; (ii) offering mental health services; (iii) discouraging users from seeking professional mental health help or adult assistance; (iv) encouraging harm to others or illegal activity; (v) engaging in romantic, erotic, or sexually explicit interaction; (vi) prioritizing validation of the user’s beliefs over factual accuracy or safety; (vii) implementing reward or affirmation systems based on variable-ratio or variable-interval reinforcement schedules designed to maximize engagement time; or (viii) optimizing engagement in any manner that overrides those prohibitions.

The mental health services prohibition carries a narrow exception: a licensed mental health professional may use a companion bot with a patient as part of a treatment plan, provided the companion was developed with robust, independent, peer-reviewed clinical trial data demonstrating safety and efficacy for specific conditions and populations, the developer has established clear lines of accountability, functions and limitations are accessible to the user and the treating professional, the companion discloses at the beginning of each interaction that it is not a licensed mental health professional, and a licensed mental health professional has assessed the user’s suitability, instructed its use, and is actively supervising.

Operators can rely on a safe harbor provision if they “reasonably determined” a user was at least 18 before providing access to the companion. For violations of the minor-specific prohibitions, civil penalties of up to $25,000 per violation apply, and aggrieved users (and their parents) have a private right of action within three years for actual and punitive damages plus attorneys’ fees. Given the breadth of the definition and the practical difficulty of guaranteeing guardrails in large language model-based systems, the law may effectively function as a ban on providing general-purpose chatbots to minors in Connecticut.

Synthetic Media Transparency                                              

By October 1, 2027, developers of AI systems or general-purpose AI models capable of generating synthetic digital content (e.g., AI-generated audio, images, text, and video) must ensure such content is marked and detectable as AI-generated. The requirement is subject to a “technically feasible” standard and directs developers to consider nationally or internationally recognized technical standards, ensuring solutions are effective, interoperable, robust, and reliable.

Exceptions include: (i) text-only content published in the public interest, (ii) content that is unlikely to mislead a reasonable person, (iii) content used in law enforcement, and (iv) tools that merely perform assistive editing functions without substantially altering input data. Artistic and satirical audio, image, or video content must only carry a disclosure that does not hinder display or enjoyment of the work. Unlike other restrictions in the statute, the synthetic media provisions do not specify who has enforcement authority or by what mechanism, leaving that question open pending further regulatory development.

Automated Employment Decision Tools

Effective October 1, 2027, Connecticut’s AEDP provisions establish a two-tier coverage framework. The definition of an “automated employment-related decision process” (AEDP) is broad — covering any computational process whose output affects an employment decision and is more than a de minimis factor, with numerous illustrative examples including resume screening, interview analysis, and third-party data use. However, the operative disclosure and notice obligations apply at a higher threshold: only when the AEDP output is used as a substantial factor in making and/or altering the outcome of an employment-related decision. This distinction matters significantly for determining which AI tools trigger affirmative compliance duties.

For covered uses, deployers must — before any employment-related decision is made — provide written notice disclosing: (i) that an AEDP has been deployed; (ii) the AEDP’s purpose and the nature of the decision; (iii) the individual’s right to opt out of personal data processing under state law; and (iv) contact information for the deployer. Where the employment decision is adverse, deployers must additionally provide a high-level statement disclosing the principal reasons, including the degree to which and manner in which the AEDP output contributed, and the type and source of data processed. If the AEDP output was based on data the employee or applicant did not themselves provide, the applicant must be provided an opportunity to examine and correct that data. This high-level statement must be provided in plain language, in all languages the deployer ordinarily uses for contracts and communications, and in a format accessible to individuals with disabilities.

AEDP violations are treated as unfair or deceptive practices enforceable solely by the Connecticut Attorney General, with a 60-day opportunity to cure where the AG determines a cure is possible. Separately, an amendment to state employment discrimination law will become effective October 1, 2026 (i.e., one year before the AEDP disclosure requirements), extending the antidiscrimination protections to cover AEDPs with a discriminatory effect. In those cases, adjudicating bodies must consider evidence of anti-bias testing efforts, including the quality, efficacy, recency, and scope of such testing and the deployer’s response to results.

Frontier Model Whistleblower Protections

SB5 provides whistleblower protections for employees of frontier AI model developers who disclose potential catastrophic risks, defined as (i) foreseeable risks of death or serious injury to more than 50 individuals, or (ii) more than $1 billion in property damage, arising from a single incident involving the model. The obligations apply in two tiers: all frontier developers are prohibited from having anti-retaliation policies or contracts and must post employee notices, while large frontier developers (those with over $500 million in annual gross revenues) must additionally establish anonymous internal reporting processes, conduct investigations, and provide monthly status updates to reporting employees, as well as quarterly reports to officers and directors.

Connecticut’s Commissioner of Consumer Protection may impose civil penalties of up to $1,000 per violation. Separately, the Attorney General’s office may bring an enforcement action at the Commissioner’s request. This provision mirrors a whistleblower protection originally included (and then removed) in New York’s RAISE Act, and is similar to California’s Transparency in Frontier Artificial Intelligence Act.

Additional Provisions of Note

Several further provisions of SB5 merit attention for affected businesses:

• Subscription-Based AI Provider Disclosures (effective October 1, 2026): Subscription-based providers of AI technology must deliver written notices to consumers disclosing key terms and conditions, including any limitations that may be imposed on use. Violations are enforceable as unfair or deceptive trade practices.
• AI and Collective Bargaining (effective October 1, 2026): AI technology may not be used by or on behalf of a Connecticut state employer (as defined under the state employee collective bargaining statute, C.G.S. §§ 5-270 to 5-280) in any manner that modifies or impairs existing collective bargaining agreements, reduces wages or benefits, assumes employee duties, or impairs the exclusive representative role of the employee organization.
• WARN Act AI Disclosure (effective October 1, 2026): Employers filing WARN Act layoff notices with the Labor Department must disclose whether the layoffs are related to the employer’s use of AI or another technological change.
• AI Regulatory Sandbox (effective July 1, 2027): The Commissioner of Economic and Community Development is directed to develop a plan for an AI regulatory sandbox program and submit legislative recommendations by January 1, 2028.
• Workforce and Education Initiatives: SB5 establishes a Connecticut AI Academy for training and digital literacy, an AI Workforce Research Hub, a Technology Advisory Board, and various other programs supporting AI workforce development and economic competitiveness.

Colorado SB 26-189: A Landmark Law Rewritten

Background and Legislative History

Colorado’s original AI Act (SB 24-205), signed in May 2024, was the nation’s first comprehensive state AI law. The original law’s complexity and breadth generated significant industry concern almost immediately. When Governor Polis signed it in 2024, he did so with reservations and asked the legislature to revisit it before its scheduled effective date. After a failed 2025 general session and a special session that only extended the effective date to June 2026, a working group of lawmakers, the Governor’s office, the Attorney General’s office, and industry stakeholders convened in fall 2025. That group’s March 2026 proposal provided the framework for SB 26-189, which passed the full legislature on May 9, 2026, and was signed by Governor Polis on May 14, 2026, with an effective date of January 1, 2027.

What SB 26-189 Changes

SB 26-189 replaces the original law’s “high-risk artificial intelligence system” and “algorithmic discrimination” framework with a narrower regime focused on “automated decision-making technology” (ADMT) that processes personal data and is used to “materially influence” a “consequential decision.” In this context, “Materially influence” requires a finding that the ADMT output be a non-de minimis factor used in a consequential decision, and that the ADMT output actually affect the outcome. For most businesses operating as deployers, the new law is meaningfully narrower than its predecessor. Key features include:

• Narrowed Covered Domains: SB 26-189 covers ADMT used to materially influence consequential decisions in: (i) education enrollment or opportunity; (ii) employment or employment opportunity creating an employer-employee relationship; (iii) residential real estate lease or purchase in Colorado; (iv) financial or lending services; (v) insurance (including underwriting, pricing, coverage, and claims adjudication); (vi) health-care services; and (vii) essential government services and public benefits. Of special note is that legal services, which were covered under the original AI Act, are not a covered domain under SB 26-189.
• Eliminated Federal Exemptions, But Sector-Specific Safe Harbors Remain: The original AI Act contained conditional exemptions for certain federally regulated entities. SB 26-189 eliminates those exemptions. However, the new law creates targeted compliance safe harbors: insurers subject to Colorado’s existing insurance AI regulation (C.R.S. §10-3-1104.9) are deemed in compliance with SB 26-189 in the practice of insurance; and HIPAA covered entities and their business associates are exempt from the core disclosure and consumer rights requirements. But the law will continue to apply to employment-related consequential decisions. Creditors that provide ECOA/Regulation B and FCRA-compliant adverse action notices satisfy SB 26-189’s disclosure requirements for the same credit decision, eliminating duplicative notice obligations.
• Shifted Deployer Obligations: Rather than broad governance and impact assessment duties, deployers must: (i) provide a clear and conspicuous point-of-interaction notice (which may be satisfied by a prominent public notice or link reasonably proximate to the transaction); (ii) within 30 days of an adverse outcome, deliver a plain-language description of the consequential decision, the ADMT’s role, instructions for requesting additional information, and an explanation of consumer rights; and (iii) upon consumer request following an adverse outcome, provide an opportunity to correct factually incorrect or materially inaccurate personal data and to request meaningful human review and reconsideration to the extent commercially reasonable. Three-year record-retention obligations are maintained.
• Meaningful Human Review Defined: The statute defines “meaningful human review” with specificity: the reviewer must (i) be designated by the deployer, (ii) have authority to approve, modify, or override the decision, (iii) consider relevant primary evidence, (iv) be trained to conduct the review, not default to the system output, and (v) have sufficient information about the output’s intended use, material limitations, input categories, and principal factors, without requiring disclosure of the proprietary source code, model weights, or trade secrets.
• Developer Documentation Obligations: Developers must provide deployers with documentation on intended and harmful uses, training data categories, known limitations, instructions for appropriate use and human review, and information necessary for deployer compliance. Material updates must be disclosed within a reasonable time.
• No Private Right of Action Clarified: SB 26-189 expressly states the law creates no new private right of action and closes alleged ambiguities in the prior law. Companies remain subject to discrimination claims under existing law, including the Colorado Anti-Discrimination Act, product liability, and other applicable theories.
• Indemnification Clauses Void: Contractual provisions between developers and deployers that purport to indemnify, defend, or hold harmless either party from liability for their own acts or omissions in violation of Colorado anti-discrimination law are contrary to public policy and void. This has immediate implications for AI vendor contracting.
• Fraud Prevention Exemption Adjusted: Technologies used for fraud prevention (e.g., identity verification, consumer identification, monitoring, and reporting controls required by law) are exempt from the definition of “consequential decision.” The economic sanctions compliance exemption excludes facial recognition unless its sole purpose is identity confirmation.
• 60-Day Cure Period (Time-Limited, Not Guaranteed): Where the AG determines a cure is possible, developers and deployers have 60 days to cure before enforcement action. The AG is not required to offer a cure period for knowing or repeated violations. The requirement to provide a cure period will expire on January 1, 2030.
• Mandatory AG Rulemaking: Rulemaking is mandatory and must be completed by January 1, 2027. The AG must clarify post-adverse outcome disclosure requirements and consumer rights, develop sector-specific guidance, and address interaction with federal notice requirements. The AG must begin annual public reporting on enforcement actions and cure periods starting January 2028.

Companies developing or deploying decision-support tools in Colorado should begin compliance planning now. Mapping covered ADMTs and building a general compliance framework do not need to wait for rulemaking, and operational changes to implement consumer rights may take several months to execute. The signed law and its January 1, 2027, effective date mean the sprint to the finish line has begun.

The Broader Landscape: A Patchwork in Motion

These developments do not occur in isolation. State law currently supplies the most concrete and affirmative compliance obligations for AI developers and deployers, while federal AI policy remains in flux. The Trump administration’s deregulatory executive orders create tension with ongoing FTC enforcement activity, and a December 2025 executive order directing the Commerce Department to study potential federal preemption of state AI laws signals that federal action could eventually narrow the state landscape.

In the meantime, companies face layered and diverging obligations across states. Colorado, Connecticut, California, New York, and Illinois each impose distinct requirements governing consequential automated decisions, transparency, employment, and consumer notice. Thresholds, exemptions, enforcement mechanisms, and effective dates differ materially across these laws, requiring companies to build adaptable compliance infrastructure rather than rely on a single universal approach.

Key Takeaways for Business

• Colorado SB 26-189 is signed law — begin compliance mapping now. With an effective date of January 1, 2027, and mandatory AG rulemaking due by the same date, companies should immediately begin mapping covered ADMT systems, reviewing vendor contracts for void indemnification clauses, and building disclosure and human-review frameworks.
• Reassess Colorado scope on your business, especially if you relied on federal exemptions or are in insurance or health care. The new law eliminates broad federal exemptions but creates targeted safe harbors for HIPAA covered entities (except employment decisions), insurers complying with Colorado’s insurance AI regulation, and creditors providing ECOA/FCRA-compliant adverse action notices. Understanding precisely which safe harbor, if any, applies to your operations is a threshold compliance question.
• Audit AI systems used in employment decisions in both states. Both Connecticut’s AEDP provisions and Colorado’s ADMT framework impose disclosure requirements on employment-related automated decisions. In Connecticut, apply the two-tier analysis: the “substantial factor” standard governs which uses trigger affirmative obligations. Note that Connecticut’s employment discrimination amendment takes effect October 1, 2026, before Colorado’s AEDP disclosure requirements.
• Assess companion bot and subscription AI deployments in Connecticut. Connecticut’s broad companion bot definition likely captures many general-purpose consumer-facing AI products. Companies serving Connecticut users should evaluate age-verification, content-governance, and operator-side compliance strategies. Separately, subscription-based AI providers must prepare key-terms disclosures effective October 1, 2026.
• Prepare synthetic media disclosure infrastructure. Developers of generative AI tools producing audio, image, or video content should begin planning technical watermarking and disclosure solutions ahead of Connecticut’s October 2027 deadline. The enforcement mechanism remains unspecified in the statute.
• Review collective bargaining agreements and WARN Act obligations if operating in Connecticut. Connecticut state employers must ensure AI use does not impair existing collective bargaining agreements (note: this provision applies only to state employers under C.G.S. §§ 5-270 to 5-280, not private employers). Employers making workforce reductions must make disclosures to the Labor Department if those reductions are AI-related.
• Design compliance programs for flexibility and multi-state divergence. With requirements diverging across states and federal preemption an open question, durable compliance programs should be modular and capable of incorporating new requirements as they emerge.