AI Transparency Disclosure

State of play.

• Colorado has executed a full policy reversal, repealing its landmark 2024 comprehensive AI Act and replacing it with a narrower disclosure-and-transparency regime focused on automated decision-making technology — effective January 1, 2027, enforced only by the AG, with no private right of action (→ Colorado repeals 2024 AI Act, replaces it with narrower ADMT law, Colorado replaces 2024 AI law with narrower employer-focused disclosure rules, Colorado replaces 2024 AI law with new automated decision-making rules, Colorado Gov. Polis signs SB 189, rewriting the state’s AI employment law).
• Connecticut is moving in the opposite direction, enacting a detailed AI workplace framework with near-term compliance deadlines — October 1, 2026 for the non-defense provision and WARN Act disclosure, October 1, 2027 for pre-decision and chatbot disclosure obligations (→ Connecticut enacts SB 5, new AI workplace disclosure and bias law).
• The EU Digital Omnibus trilogue deal has been struck, provisionally amending the AI Act and postponing key high-risk AI compliance deadlines that were set to hit August 2, 2026 — but formal adoption remains pending and the precise scope of deferrals has not yet been disclosed (→ EU institutions strike deal on Digital Omnibus delaying key AI Act deadlines).
• Workplace AI enforcement is escalating across multiple vectors, with the EEOC, Department of Labor, and regulators in Illinois, New York City, Colorado, and California actively scrutinizing AI use in hiring, promotion, and performance monitoring — and employers remaining liable for AI-driven employment decisions regardless of vendor involvement (→ Employers Face Rising AI Workplace Bias, Privacy, and Compliance Risks).
• For counsel advising employers, deployers, or developers operating across multiple states, the operative picture is a diverging patchwork — Colorado retreating to disclosure-only while Connecticut advances a more demanding workplace framework, and the EU's August 2026 deadline now in flux — making jurisdiction-by-jurisdiction compliance mapping the immediate priority before the October 2026 and January 2027 deadlines land simultaneously.

Where things stand.

• Colorado's new ADMT law displaces the 2024 Act entirely. SB 26-189, signed May 14, 2026, narrows the regulatory focus to automated decision-making technology used in consequential decisions — hiring, housing, lending, health care, insurance, education, government services. Developers must provide technical documentation; deployers must give pre-use and post-adverse-decision notice, retain records for three years, and allow data correction and human review. The 60-day cure window before AG enforcement begins is the key remediation lever (→ Colorado repeals 2024 AI Act, replaces it with narrower ADMT law, Colorado replaces 2024 AI law with new automated decision-making rules, Colorado Gov. Polis signs SB 189, rewriting the state’s AI employment law).
• Connecticut's AI Responsibility and Transparency Act creates the most demanding near-term employer compliance deadline. Starting October 1, 2026, automated tools cannot be used as a defense to discrimination claims and WARN Act notices must disclose AI involvement in layoffs. Starting October 1, 2027, employers must provide plain-language chatbot disclosure and pre-decision notices describing the tool, underlying data, and employer contact information (→ Connecticut enacts SB 5, new AI workplace disclosure and bias law).
• EU AI Act compliance timelines are in active flux. The provisional Digital Omnibus trilogue agreement adjusts transparency and documentation requirements and modifies sandbox and conformity procedures, but the specific deadline extensions remain undisclosed pending formal Parliament and Council adoption — leaving companies with EU-facing high-risk AI systems in a compliance-planning limbo against the original August 2, 2026 deadline (→ EU institutions strike deal on Digital Omnibus delaying key AI Act deadlines).
• Workplace AI enforcement is multi-jurisdictional and employer-side liability is settled doctrine. Under existing anti-discrimination law, employers bear responsibility for AI-driven employment decisions regardless of whether a vendor built the tool or a human made the final call; the EEOC and state regulators in Illinois, New York City, Colorado, and California are all active (→ Employers Face Rising AI Workplace Bias, Privacy, and Compliance Risks).
• State disclosure laws remain the operative baseline across multiple vectors. California's transparency and training-data disclosure requirements took effect January 1, 2026; more than two dozen states are enacting or advancing AI regulation, with the FTC and state AGs positioned as primary enforcers (→ U.S. states and Congress escalate AI deepfake, chatbot, and transparency rules in May 2026).
• Federal preemption is the administration's stated goal, not yet law. The March 2026 National Policy Framework and the December 2025 EO directing agencies to identify conflicting state laws define the posture — but no legislation has passed, and states continue advancing their own regimes in the interim (→ U.S. AI governance is shifting to real-time controls as policy lags, U.S. states and Congress escalate AI deepfake, chatbot, and transparency rules in May 2026).
• AI governance is becoming operational infrastructure. Enterprise vendors and regulators are building runtime enforcement and continuous monitoring into AI systems; the 2026 compliance landscape is expected to include inventory requirements, risk assessment protocols, vendor review processes, and continuous monitoring for high-risk and agentic AI systems — though the binding legal framework has not yet solidified (→ U.S. AI governance is shifting to real-time controls as policy lags).
• AI-generated code quality is an emerging governance and liability gap. OpenClaw founders have warned that agentic AI tools are producing "vibe slop" — code that appears functional but contains bugs, security vulnerabilities, and maintainability problems — with governance and quality control underdeveloped as enterprises scale AI code generation into production (→ OpenClaw founders warn AI-generated “vibe slop” is creating risky code).

Latest developments.

• The EU Digital Omnibus trilogue deal was struck on May 13, 2026, provisionally amending the AI Act and postponing high-risk AI compliance deadlines that were set to take effect August 2, 2026 — with formal Parliament and Council adoption still pending and the precise scope of deferrals not yet disclosed (→ EU institutions strike deal on Digital Omnibus delaying key AI Act deadlines).
• Workplace AI enforcement is escalating, with the EEOC, DOL, and state regulators in Illinois, New York City, Colorado, and California actively scrutinizing AI use in hiring, promotion, and performance monitoring — and the first wave of enforcement actions expected to define the standard of care (→ Employers Face Rising AI Workplace Bias, Privacy, and Compliance Risks).

Active questions and open splits.

• Colorado's disclosure-only model vs. Connecticut's more demanding framework — which template prevails. Colorado's retreat from audit-heavy requirements signals that industry pressure can reshape comprehensive AI statutes; Connecticut's near-term employer obligations move in the opposite direction. Whether other states follow Colorado's lighter-touch model or Connecticut's more prescriptive approach is the live question for multi-state compliance planning (→ Colorado repeals 2024 AI Act, replaces it with narrower ADMT law, Connecticut enacts SB 5, new AI workplace disclosure and bias law).
• Developer vs. deployer liability allocation under the new ADMT regimes. Colorado's SB 26-189 allocates liability based on relative fault between developers and deployers; Connecticut's framework places primary disclosure obligations on employers as deployers. How courts and the AG will apportion responsibility when a vendor's tool produces an adverse outcome — and what indemnification and audit-rights provisions in vendor contracts must now say — is unresolved (→ Colorado replaces 2024 AI law with new automated decision-making rules, Connecticut enacts SB 5, new AI workplace disclosure and bias law).
• EU AI Act compliance planning against a moving deadline. The Digital Omnibus deal defers obligations but the final text is not yet adopted — companies must decide now whether to continue preparing for August 2, 2026 or pause investment pending the formal adoption and disclosure of which deadlines are extended and by how long (→ EU institutions strike deal on Digital Omnibus delaying key AI Act deadlines).
• What qualifies as a covered "automated employment decision tool." Both Colorado and Connecticut leave the boundary of covered systems to be defined through implementation and litigation. The scope question — whether tools that assist rather than determine decisions are covered, and how human-in-the-loop configurations affect coverage — will drive the first wave of enforcement disputes (→ Colorado replaces 2024 AI law with narrower employer-focused disclosure rules, Connecticut enacts SB 5, new AI workplace disclosure and bias law).
• Federal preemption scope and timing. The administration's December 2025 EO targets state laws that "require AI models to alter their truthful outputs" — language that arguably reaches bias-mitigation mandates but not pure disclosure requirements. Whether federal preemption legislation, if enacted, would sweep in Connecticut's non-defense provision or Colorado's ADMT notice requirements is the central compliance-planning uncertainty (→ U.S. AI governance is shifting to real-time controls as policy lags, U.S. states and Congress escalate AI deepfake, chatbot, and transparency rules in May 2026).
• Workplace AI bias enforcement standard of care. The EEOC and state regulators are watching but the precise legal triggers for liability in individual cases have not yet crystallized — meaning the first enforcement actions will define what audit, validation, and explainability obligations actually require in practice (→ Employers Face Rising AI Workplace Bias, Privacy, and Compliance Risks).
• AI-generated code liability and disclosure obligations. As enterprises deploy agentic AI code generation at scale, the governance gap between speed-to-market and due diligence obligations is widening — with no settled framework for assigning responsibility when AI-generated code fails in production (→ OpenClaw founders warn AI-generated “vibe slop” is creating risky code).

What to watch.

• Formal Parliament and Council adoption of the EU Digital Omnibus — the adopted text will disclose which high-risk AI deadlines are deferred and by how long, resolving the compliance-planning limbo for companies with EU-facing operations before the original August 2, 2026 deadline.
• Whether the Connecticut AG issues implementation guidance clarifying the scope of "automated employment decision tool" before the October 1, 2026 compliance deadline.
• Whether other states follow Colorado's disclosure-only template or Connecticut's more demanding framework — the divergence will define whether a national compliance standard emerges or the patchwork deepens.
• The first EEOC or state AG enforcement action against an employer for AI-driven employment decisions — the outcome will define the standard of care for audit, validation, and explainability obligations across all jurisdictions.
• Whether the White House's federal preemption push produces draft legislation — and whether the scope language reaches disclosure-only statutes or remains targeted at bias-mitigation mandates.
• Whether enterprise vendor contracts begin incorporating AI governance audit rights, indemnification provisions, and ADMT compliance representations as a standard term — driven by Colorado's January 2027 and Connecticut's October 2026 deadlines landing in the same contracting cycle.