Automated Decision-Making Tool (ADMT) obligations mapped to SWT3 AI witness procedures. Effective January 1, 2027.
Who this is for: Compliance officers, AI deployers operating in Colorado, legal counsel, and engineering teams building automated decision systems for lending, insurance, employment, or housing.
Legislative update: Colorado's original AI Act (SB 24-205) was stayed by a federal court on April 27, 2026. Governor Polis signed the replacement bill SB 26-189 on May 14, 2026. This guide maps the replacement law's requirements, which take effect January 1, 2027.
Colorado SB 26-189 replaces the broader SB 24-205 with a focused notice-and-transparency framework for Automated Decision-Making Tools (ADMT). It applies to any deployer that uses AI to make or substantially influence a consequential decision affecting a Colorado consumer in areas including:
The law imposes four core obligations:
| Obligation | Requirement | Timeline |
|---|---|---|
| Pre-use notice | Clear, conspicuous notice before consumer interacts with ADMT | Before interaction |
| Post-adverse disclosure | Plain-language explanation of decision, ADMT's role, and consumer rights | Within 30 days of adverse outcome |
| Human review | Meaningful human review and reconsideration on request | Upon consumer request |
| Recordkeeping | Records sufficient to demonstrate compliance | 3-year retention |
Each SB 26-189 obligation maps to one or more SWT3 procedures. The SWT3 SDK generates cryptographic evidence anchors for each procedure, creating an immutable compliance record.
| SB 26-189 Obligation | SWT3 Procedure | What It Witnesses | Evidence Produced |
|---|---|---|---|
| Pre-use notice | AI-TRANS.1 | Transparency disclosure delivered to consumer | Anchor with disclosure type, recipient type, timestamp |
| Post-adverse disclosure | AI-AUTO.1 | Automated decision notification with legal effects | Anchor with decision type, human review status |
| Explanation of decision | AI-EXPL.1 | Feature attribution / explanation generated | Anchor with feature count, method used |
| Confidence communication | AI-EXPL.2 | Model confidence score for the decision | Anchor with confidence value, calibration status |
| Human review | AI-HITL.1 | Human review completed on consumer request | Anchor with review outcome, reviewer identity |
| Override tracking | AI-HITL.2 | Human override of AI decision recorded | Anchor with override reason, original vs. final decision |
| Data correction | AI-DATA.4 | PII lifecycle event (correction, deletion) | Anchor with records affected, event type |
| Consent / legal basis | AI-CONSENT.1 | Consumer consent or legal basis verified | Anchor with consent type, withdrawal status |
| Recordkeeping (3 years) | AI-AUDIT.1 | Audit log integrity verified | Anchor with entry count, tamper detection result |
| Bias prevention | AI-FAIR.1 | Bias disparity ratio measured | Anchor with group count, max disparity |
| Bias audit | AI-FAIR.3 | Bias audit conducted across demographics | Anchor with groups tested, disparities found |
| Model documentation | AI-INF.1 | Inference provenance (model, prompt, response hashed) | Anchor with model hash, prompt hash, response hash |
| Model integrity | AI-MDL.1 | Deployed model hash matches approved registry | Anchor with weight hash, version identifier |
SB 26-189 requires: Clear and conspicuous notice to consumers before they use or interact with a covered ADMT.
How SWT3 addresses it: witnessTransparency() mints an anchor recording the disclosure type (AI usage notification), recipient type (end user / data subject), and timestamp. The anchor proves the notice was generated and delivered before the consequential decision.
Query the witness ledger for AI-TRANS.1 anchors filtered by consumer ID. Each anchor's timestamp proves pre-interaction notice. The clearing level ensures raw content is stripped while the compliance hash is retained.
SB 26-189 requires: Within 30 days of an adverse outcome, deployers must deliver a plain-language disclosure explaining the decision and the ADMT's role.
How SWT3 addresses it: witnessAutomatedDecision() mints an anchor with the decision type (credit, employment, insurance, housing), human review status, and notification timestamp. Combined with AI-EXPL.1, this creates a complete adverse action evidence chain.
Filter ledger for AI-AUTO.1 anchors where decision_type matches regulated categories. Cross-reference with AI-EXPL.1 anchors to verify explanation was generated. Timestamp delta proves 30-day disclosure window compliance.
SB 26-189 requires: Meaningful human review and reconsideration upon consumer request, to the extent commercially reasonable.
How SWT3 addresses it: witnessHumanReview() records the review completion with reviewer identity. If the human overrides the AI decision, witnessHumanOverride() captures the original decision, override reason, and final outcome. Together they prove the review was substantive, not rubber-stamped.
AI-HITL.1 anchors prove review occurred. AI-HITL.2 anchors (if present) prove override capability exists and is exercised. Absence of any AI-HITL.2 anchors across thousands of decisions may indicate inadequate human oversight.
SB 26-189 requires: Records sufficient to demonstrate compliance retained for at least three years from the date of the consequential decision.
How SWT3 addresses it: Every SWT3 Witness Anchor is written to the sovereign witness ledger with cryptographic fingerprints. witnessAuditIntegrity() periodically verifies the log has not been tampered with. The ledger itself serves as the 3-year compliance record, with each anchor independently verifiable.
Export the witness ledger for the relevant time period. Each anchor contains a SHA-256 fingerprint that can be independently recomputed. Daily Merkle rollups provide tamper-evident batch verification.
Three SWT3 industry profiles include all procedures needed for SB 26-189 compliance:
| Profile | Industry | SB 26-189 Coverage | Command |
|---|---|---|---|
fintech-model-risk | Lending, credit, AML | 16 procedures, full coverage | swt3 init --profile fintech-model-risk |
insurance-underwriting | Underwriting, claims, pricing | 14 procedures, full coverage | swt3 init --profile insurance-underwriting |
healthcare-clinical | Clinical decisions, diagnostics | 15 procedures, full coverage | swt3 init --profile healthcare-clinical |
| Examiner Question | Where to Look |
|---|---|
| How do you notify consumers before ADMT interaction? | AI-TRANS.1 anchors in the witness ledger, filtered by consumer session. Timestamp proves pre-interaction delivery. |
| How do you explain adverse decisions within 30 days? | AI-AUTO.1 + AI-EXPL.1 anchor pairs. Decision timestamp vs. disclosure timestamp proves 30-day window. |
| Can consumers request human review? | AI-HITL.1 anchors with reviewer identity. AI-HITL.2 anchors prove override capability exists. |
| How long do you retain compliance records? | Witness ledger retention policy (configurable). AI-AUDIT.1 anchors verify log integrity. SWT3 anchors are independently verifiable at any point. |
| How do you prevent algorithmic discrimination? | AI-FAIR.1 (disparity measurement) and AI-FAIR.3 (bias audit) anchors with group counts and disparity ratios. |
| Can consumers correct inaccurate data? | AI-DATA.4 anchors record PII lifecycle events including corrections. AI-CONSENT.1 tracks consent and withdrawal. |
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup