U.S. AI Regulatory Patchwork: Preemption Showdown, Colorado Repeal, and State-Level ADMT Regs (May 2026)

In May 2026, the U.S. state-level AI regulatory landscape experienced a massive realignment. Driven by constitutional litigation, executive-branch preemption strategies, and industry pressure, the first major state AI law (the 2024 Colorado AI Act) was repealed and replaced. Simultaneously, other states like Connecticut enacted sweeping new omnibus AI frameworks, and California’s privacy regulator finalized highly demanding automated decision-making rules, setting up a high-stakes constitutional showdown.

1. The Colorado AI Act Repeal and Replacement (SB 189)

On May 14, 2026, Colorado Governor Jared Polis signed Senate Bill 189, which completely repeals and replaces the controversial 2024 Colorado AI Act (SB 24-205) before its scheduled June 30, 2026 effective date.

The 2024 Act had faced intense industry scrutiny and a high-profile constitutional lawsuit. SB 189 significantly rolls back the most burdensome and vague provisions of the original law.

• Rollbacks: SB 189 completely removes the requirements to implement comprehensive risk management plans, conduct formal algorithmic impact assessments, and notify the state Attorney General within 90 days of discovering likely algorithmic discrimination.
• New ADMT Focus: The new framework focuses on Automated Decision-Making Technology (ADMT) used to make, guide, or assist a "consequential decision" about an individual in covered domains (including education, employment, housing, financial/lending, insurance, healthcare, and essential government services).
• Developer Obligations: Developers of ADMT must provide deployers with technical documentation detailing intended uses, training data categories, known limitations, and instructions for appropriate use. Both developers and deployers must maintain compliance records for at least three years.
• Consumer Rights: Deployers must provide clear and conspicuous notice at the point of interaction. If an ADMT is used to make an adverse consequential decision, the deployer must notify the consumer within 30 days, explain the decision and the ADMT’s role, and provide a right to correct inaccurate personal data and request a "commercially reasonable" human review for meaningful reconsideration.
• Enforcement: The Colorado Attorney General retains exclusive enforcement authority; there is no private right of action. The law takes effect January 1, 2027.

2. The DOJ AI Litigation Task Force and Federal Preemption

The legislative retreat in Colorado was catalyzed by a major federal intervention. In late April 2026, the newly formed U.S. Department of Justice (DOJ) AI Litigation Task Force intervened in xAI LLC v. Weiser (Colorado AG), joining xAI's lawsuit to enjoin the 2024 Colorado AI Act.

• Mandate and Structure: The Task Force was established in January 2026 under Executive Order 14365 ("Ensuring a National Policy Framework for Artificial Intelligence," signed December 11, 2025). Chaired by the Attorney General and featuring senior DOJ leadership (including the Solicitor General and Civil Division), its sole mission is to challenge "onerous" state AI laws that conflict with the federal policy of maintaining U.S. AI dominance through a "minimally burdensome national framework."
• Article II Strategy: Rather than waiting for express statutory preemption from Congress, the executive branch is using Article II litigation powers, Commerce Department referrals of "onerous" state laws, and conditional federal funding to dismantle state-level AI regulations.
• Constitutional Arguments: In the Colorado case, the DOJ and xAI argued that the state law violated:
  1. The First Amendment by compelling speech (mandatory disclosures regarding internal model bias) and forcing developers to embed the state's preferred views on equity into their models, infringing on editorial judgment.
  2. The Fourteenth Amendment due to unconstitutional vagueness (e.g., undefined terms like "perceived" and "differential treatment") and Equal Protection violations (codifying carveouts for diversity-focused AI outputs).
  3. The Commerce Clause by imposing substantial extraterritorial compliance burdens that require nationwide product alterations.
• Litigation Status: The enactment of the scaled-back SB 189 likely renders the xAI v. Weiser lawsuit moot, achieving the Task Force's goal of blocking the 2024 Act's most restrictive provisions without a prolonged trial.

3. Connecticut's SB 5: The Next Preemption Target?

Even as Colorado retreated, Connecticut moved forward. In May 2026, the Connecticut legislature passed Senate Bill 5 (the Online Safety Act / Artificial Intelligence Responsibility and Transparency Act) by overwhelming margins (131-17 House, 32-4 Senate), and Governor Ned Lamont signed it into law.

SB 5 represents a sprawling omnibus regulatory framework with phased effective dates:

• October 1, 2026 (AEDT, Whistleblowers, and Large Provenance):
  • Regulates Automated Employment Decision Technology (AEDT) used in hiring, firing, or promotion. Developers must provide technical compliance documentation to deployers, and "AI is not a defense" anti-discrimination rules take effect.
  • Prohibits large frontier model developers (grossing over $500M annually) from penalizing employees who report "catastrophic risks" and mandates anonymous internal reporting channels.
  • Large generative AI providers (1M+ monthly users) must embed metadata-based provenance data into audio, image, and video content.
  • Employers must notify the Labor Department if layoffs are caused or influenced by AI.
• January 1, 2027 (AI Companion Chatbots):
  • Chatbot operators must disclose that the user is interacting with an AI (at the start and at least hourly).
  • Chatbots must implement self-harm and suicide detection protocols.
  • For minor users (under 18), chatbots are prohibited from being marketed as therapists, engaging in romantic or sexually explicit interactions, or using manipulative engagement techniques (e.g., simulating loneliness or soliciting gifts). A private right of action is available solely for minor-related chatbot violations.
• October 1, 2027 (General AEDT and All Provenance):
  • Deployers must provide pre-decision notices to employees/applicants and a plain-language explanation of principal reasons after an adverse decision.
  • All generative AI developers must ensure AI-generated content is marked and detectable.

Preemption Risk: Because SB 5 mandates synthetic media provenance, restricts automated chatbot speech, and regulates frontier model risk reporting, it is highly vulnerable to First Amendment and Commerce Clause challenges. It is widely considered the DOJ AI Litigation Task Force's next primary target.

4. California's CPPA ADMT and Risk Assessment Rules

California is pursuing a separate administrative path. On September 23, 2025, the California Privacy Protection Agency (CPPA) finalized a comprehensive package of CCPA regulations, which took effect January 1, 2026, with critical compliance deadlines phased over the next two years:

• ADMT Compliance (January 1, 2027):
  • Applies to any technology that processes personal information to replace or "substantially replace" human decision-making.
  • Businesses using ADMT to make "significant decisions" about California consumers (in financial/lending, housing, education, employment, or healthcare) must provide a conspicuous Pre-use Notice explaining how the ADMT works, its intended outputs, and how the decision would be made if the consumer opts out. Consumers are granted a right to opt-out and a right of access to information about how the ADMT evaluated them.
• Privacy Risk Assessments (December 31, 2027):
  • Businesses whose processing presents a "significant risk" (including selling/sharing personal information, processing sensitive data, using ADMT for significant decisions, or training ADMT/facial recognition) must complete detailed risk assessments.
  • Annual Submission (Starting April 1, 2028): Businesses must submit a summary of these risk assessments annually to the CPPA, accompanied by an attestation signed by an executive under penalty of perjury.
  • HR and B2B Scope: Unlike other state laws, California’s rules explicitly apply to employee, job applicant, contractor, and B2B data, significantly expanding the compliance surface for enterprise legal teams.

Preemption Risk: California's administrative mandate for pre-use notices, opt-outs, and perjury-backed risk assessment summaries represents an immense operational burden on interstate commerce. This makes the CPPA regulations a prime candidate for a Commerce Clause challenge by the DOJ Task Force, particularly given the FTC's mandate under EO 14365 to issue policy statements preempting state rules that "require alterations to the truthful outputs of AI models."