A Law That Was Too Big, Then Scaled Back, Then Reshaped Again
Most people in Australia haven’t heard of Colorado’s AI Act, and that’s fair. It’s a US state law, it’s been rewritten twice, and on the surface it doesn’t apply to businesses here.
But if you’re a business leader paying attention to where AI regulation is heading, and you should be, what happened in Colorado over the past two years is one of the clearest early signals we have. It shows what regulators want, what the business community pushes back on, and where the balance is actually landing.
Back in May 2024, Colorado became the first US state to pass a broad AI law. The original act, known as SB 24-205, required businesses using AI in high-stakes decisions to run annual impact assessments, align their risk management to frameworks like NIST’s AI Risk Management Framework, and prove they’d taken steps to prevent algorithmic discrimination, all before their AI system made a single consequential decision about someone.
The business community called it unworkable. Tech companies said the obligations were too broad and too expensive, especially for smaller operators, so a governor-appointed task force spent months reworking it.
In May 2026, Governor Jared Polis signed a completely rewritten version, now called the Automated Decision-Making Technology Act, or ADMT Act. The original June 2026 launch date was dropped, the new law takes effect on 1 January 2027, and it looks very different from what was first.
What Got Cut, and What Stayed
The most striking thing about the rewrite is what was removed. The mandatory annual impact assessments, the requirement to align with a formal risk framework, and the broad algorithmic-discrimination duty of care were all cut. What’s left is simpler, but it still has teeth.
Under the ADMT Act, if you use automated decision-making technology that materially influences a consequential decision, think employment, finance, housing, healthcare, or education, you’re obligated to tell the person being affected that AI played a role.
If the outcome is adverse, like a rejected loan or an unsuccessful job application, you need to explain how the system was used and the principal reasons for that outcome, in plain language, within 30 days.
You also need to give consumers a way to correct inaccurate data and request a human review, and you need to keep records for three years.
There are no annual audits, no mandatory alignment to international standards, and no algorithmic impact statements filed with the government.
Consumer groups weren’t happy, arguing the rewrite gutted the protections that made the original law worthwhile.
But regulators and the broader business community landed on a disclosure-first approach: be transparent, treat people fairly, keep your records, and be prepared to explain what your AI did.
Why This Matters for Australian Businesses Right Now
Here’s where it gets relevant to you.
Australia is moving through its own staged approach to AI regulation, and the direction is strikingly similar to where Colorado ended up.
Our federal government has chosen a technology-neutral path rather than drafting a standalone AI Act, which means existing laws, including consumer law, anti-discrimination law, and the Privacy Act, already apply to how you use AI. There’s no clean boundary that says “if your AI tool is under a certain size, the rules don’t apply.”
The change that will hit most businesses first is a Privacy Act amendment that takes effect on 10 December 2026.
From that date, if AI is influencing decisions you make about customers, what content they see, whether they’re approved for a service, or how their data is used, you need to say so in your privacy policy, and businesses that get this wrong face fines of up to $50 million.
That’s essentially the same disclosure direction Colorado landed on after two years of negotiation, just arriving on Australian shores a little later.
What “Disclosure-Led” Regulation Actually Requires in Practice
A disclosure obligation sounds simple, but it requires more infrastructure than most businesses realise. To explain how AI influenced a decision, you first need to know:
Which AI tools are in use across your business
What decisions those tools are influencing or making
What data they’re drawing on
Whether any of those decisions could affect a customer’s rights, outcomes, or access to services
That last point is what regulators are focused on.
It’s not about whether you used AI to write a marketing email, it’s about whether AI played a role in a decision that affected someone in a meaningful way, a hiring decision, a credit check, a customer service outcome, a risk assessment.
If you can’t answer those questions today, you’re not ready for December, and getting ready isn’t just a compliance exercise. It’s also a risk management conversation.
The Microsoft Angle: You Already Have Tools to Help With This
This is where the practical picture gets clearer for businesses running on Microsoft 365.
Microsoft has built a suite of governance and compliance tools specifically designed to help you understand, document, and control how AI is operating in your environment.
Microsoft Purview, for example, lets you track what data Copilot and other AI tools are accessing, set policies around data use, and create audit logs that show exactly what happened. That is the kind of audit trail regulators are going to ask for when they want to know how a decision was made.
If you’d like a closer look at how those controls work in practice, our blog on unified AI governance for Copilot and beyond walks through the full framework we recommend for businesses at different stages of AI adoption.
Also, check out our guide to AI watermarking in Microsoft 365 which covers one of the newer transparency mechanisms Microsoft has built in, which is directly relevant to the “was AI involved in this?” question that regulators are starting to ask.
The Broader Regulatory Signal
Colorado’s experience highlights a pattern Australian leaders should take note of: early AI laws tend to overcorrect, face business pushback, and then settle into something narrower and more disclosure-focused.
The EU AI Act followed a similar arc at a larger scale, where the original 2021 proposal was sweeping but by the time it was finalised, entire categories of AI use had been reclassified, exemptions had been added, and the enforcement timeline had been extended.
Australia’s voluntary AI Safety Standard, a set of 10 guardrails for responsible AI use, exists in part because the government wants businesses to demonstrate good faith before mandatory rules arrive.
If you’re building governance practices now, you’re not just getting ahead of December, you’re also in a much better position when the next layer of regulation lands, whether that’s a sector-specific rule, a procurement requirement, or a mandatory reporting obligation.
The businesses that will find this easiest aren’t the ones who wait for a law and then scramble.
They’re the ones who’ve built the habit of knowing what their AI tools are doing, who’s accountable for them, and what the paper trail looks like.
Three Things Worth Doing Before December
If you’re looking for a practical starting point, these three steps will put you ahead of most businesses:
Do an AI inventory
Map every tool in your business that uses AI or automated logic to influence a decision. This includes tools built into Microsoft 365 Copilot, any third-party platforms your team is using, and any custom workflows you’ve built on top of APIs.
Identify which Al-influenced decisions affect customers or employees in a material way
Not every AI use is in scope, but if AI is helping determine what someone sees, what offer they receive, whether they’re hired, or whether a claim is approved, that’s worth flagging, documenting, and thinking carefully about.
Check your privacy policy
Does it mention AI at all, and does it explain how automated tools might influence decisions about individuals? If the answer is no, you’ve got work to do before 10 December.
Our practical guide to AI governance is a good complement if you want to go deeper on the governance controls that support this kind of transparency.
The Headline Isn’t Colorado. It’s Preparation.
Colorado’s AI law matters because it’s the first finished draft of what business-facing AI regulation looks like in practice. It’s messy, it’s been rewritten, and it will keep evolving, but the direction is clear: regulators want transparency, they want records, and they want businesses to be able to explain what their AI did and why.
Australia’s December 2026 Privacy Act deadline is the first concrete version of that same expectation landing on local businesses, and it won’t be the last.
The good news is that the Microsoft ecosystem you’re already working in has most of the infrastructure you need to meet these obligations, the work is in switching that infrastructure on, configuring it for your context, and making sure someone owns it.
If you’d like to talk through where your business sits today and what a practical AI governance roadmap looks like for your Microsoft environment, get in touch with the CG TECH team. We work with businesses across Australia to help them get this right without turning it into a bigger project than it needs to be.
About the Author
Carlos Garcia is the Founder and Managing Director of CG TECH, where he leads enterprise digital transformation projects across Australia.
With deep experience in business process automation, Microsoft 365, and AI-powered workplace solutions, Carlos has helped businesses in government, healthcare, and enterprise sectors streamline workflows and improve efficiency.
He holds Microsoft certifications in Power Platform and Azure and regularly shares practical guidance on Copilot readiness, data strategy, and AI adoption.
A Law That Was Too Big, Then Scaled Back, Then Reshaped Again
Most people in Australia haven’t heard of Colorado’s AI Act, and that’s fair. It’s a US state law, it’s been rewritten twice, and on the surface it doesn’t apply to businesses here.
But if you’re a business leader paying attention to where AI regulation is heading, and you should be, what happened in Colorado over the past two years is one of the clearest early signals we have. It shows what regulators want, what the business community pushes back on, and where the balance is actually landing.
Back in May 2024, Colorado became the first US state to pass a broad AI law. The original act, known as SB 24-205, required businesses using AI in high-stakes decisions to run annual impact assessments, align their risk management to frameworks like NIST’s AI Risk Management Framework, and prove they’d taken steps to prevent algorithmic discrimination, all before their AI system made a single consequential decision about someone.
The business community called it unworkable. Tech companies said the obligations were too broad and too expensive, especially for smaller operators, so a governor-appointed task force spent months reworking it.
In May 2026, Governor Jared Polis signed a completely rewritten version, now called the Automated Decision-Making Technology Act, or ADMT Act. The original June 2026 launch date was dropped, the new law takes effect on 1 January 2027, and it looks very different from what was first.
What Got Cut, and What Stayed
The most striking thing about the rewrite is what was removed. The mandatory annual impact assessments, the requirement to align with a formal risk framework, and the broad algorithmic-discrimination duty of care were all cut. What’s left is simpler, but it still has teeth.
Under the ADMT Act, if you use automated decision-making technology that materially influences a consequential decision, think employment, finance, housing, healthcare, or education, you’re obligated to tell the person being affected that AI played a role.
If the outcome is adverse, like a rejected loan or an unsuccessful job application, you need to explain how the system was used and the principal reasons for that outcome, in plain language, within 30 days.
You also need to give consumers a way to correct inaccurate data and request a human review, and you need to keep records for three years.
There are no annual audits, no mandatory alignment to international standards, and no algorithmic impact statements filed with the government.
Consumer groups weren’t happy, arguing the rewrite gutted the protections that made the original law worthwhile.
But regulators and the broader business community landed on a disclosure-first approach: be transparent, treat people fairly, keep your records, and be prepared to explain what your AI did.
Why This Matters for Australian Businesses Right Now
Here’s where it gets relevant to you.
Australia is moving through its own staged approach to AI regulation, and the direction is strikingly similar to where Colorado ended up.
Our federal government has chosen a technology-neutral path rather than drafting a standalone AI Act, which means existing laws, including consumer law, anti-discrimination law, and the Privacy Act, already apply to how you use AI. There’s no clean boundary that says “if your AI tool is under a certain size, the rules don’t apply.”
The change that will hit most businesses first is a Privacy Act amendment that takes effect on 10 December 2026.
From that date, if AI is influencing decisions you make about customers, what content they see, whether they’re approved for a service, or how their data is used, you need to say so in your privacy policy, and businesses that get this wrong face fines of up to $50 million.
That’s essentially the same disclosure direction Colorado landed on after two years of negotiation, just arriving on Australian shores a little later.
What “Disclosure-Led” Regulation Actually Requires in Practice
A disclosure obligation sounds simple, but it requires more infrastructure than most businesses realise. To explain how AI influenced a decision, you first need to know:
That last point is what regulators are focused on.
It’s not about whether you used AI to write a marketing email, it’s about whether AI played a role in a decision that affected someone in a meaningful way, a hiring decision, a credit check, a customer service outcome, a risk assessment.
If you can’t answer those questions today, you’re not ready for December, and getting ready isn’t just a compliance exercise. It’s also a risk management conversation.
The Microsoft Angle: You Already Have Tools to Help With This
This is where the practical picture gets clearer for businesses running on Microsoft 365.
Microsoft has built a suite of governance and compliance tools specifically designed to help you understand, document, and control how AI is operating in your environment.
Microsoft Purview, for example, lets you track what data Copilot and other AI tools are accessing, set policies around data use, and create audit logs that show exactly what happened. That is the kind of audit trail regulators are going to ask for when they want to know how a decision was made.
If you’d like a closer look at how those controls work in practice, our blog on unified AI governance for Copilot and beyond walks through the full framework we recommend for businesses at different stages of AI adoption.
Also, check out our guide to AI watermarking in Microsoft 365 which covers one of the newer transparency mechanisms Microsoft has built in, which is directly relevant to the “was AI involved in this?” question that regulators are starting to ask.
The Broader Regulatory Signal
Colorado’s experience highlights a pattern Australian leaders should take note of: early AI laws tend to overcorrect, face business pushback, and then settle into something narrower and more disclosure-focused.
The EU AI Act followed a similar arc at a larger scale, where the original 2021 proposal was sweeping but by the time it was finalised, entire categories of AI use had been reclassified, exemptions had been added, and the enforcement timeline had been extended.
Australia’s voluntary AI Safety Standard, a set of 10 guardrails for responsible AI use, exists in part because the government wants businesses to demonstrate good faith before mandatory rules arrive.
If you’re building governance practices now, you’re not just getting ahead of December, you’re also in a much better position when the next layer of regulation lands, whether that’s a sector-specific rule, a procurement requirement, or a mandatory reporting obligation.
The businesses that will find this easiest aren’t the ones who wait for a law and then scramble.
They’re the ones who’ve built the habit of knowing what their AI tools are doing, who’s accountable for them, and what the paper trail looks like.
Three Things Worth Doing Before December
If you’re looking for a practical starting point, these three steps will put you ahead of most businesses:
Do an AI inventory
Map every tool in your business that uses AI or automated logic to influence a decision. This includes tools built into Microsoft 365 Copilot, any third-party platforms your team is using, and any custom workflows you’ve built on top of APIs.
Our blog on building an AI operating model is a good place to start if you haven’t done this yet.
Identify which Al-influenced decisions affect customers or employees in a material way
Not every AI use is in scope, but if AI is helping determine what someone sees, what offer they receive, whether they’re hired, or whether a claim is approved, that’s worth flagging, documenting, and thinking carefully about.
Check your privacy policy
Does it mention AI at all, and does it explain how automated tools might influence decisions about individuals? If the answer is no, you’ve got work to do before 10 December.
Our practical guide to AI governance is a good complement if you want to go deeper on the governance controls that support this kind of transparency.
The Headline Isn’t Colorado. It’s Preparation.
Colorado’s AI law matters because it’s the first finished draft of what business-facing AI regulation looks like in practice. It’s messy, it’s been rewritten, and it will keep evolving, but the direction is clear: regulators want transparency, they want records, and they want businesses to be able to explain what their AI did and why.
Australia’s December 2026 Privacy Act deadline is the first concrete version of that same expectation landing on local businesses, and it won’t be the last.
The good news is that the Microsoft ecosystem you’re already working in has most of the infrastructure you need to meet these obligations, the work is in switching that infrastructure on, configuring it for your context, and making sure someone owns it.
If you’d like to talk through where your business sits today and what a practical AI governance roadmap looks like for your Microsoft environment, get in touch with the CG TECH team. We work with businesses across Australia to help them get this right without turning it into a bigger project than it needs to be.
About the Author
Carlos Garcia is the Founder and Managing Director of CG TECH, where he leads enterprise digital transformation projects across Australia.
With deep experience in business process automation, Microsoft 365, and AI-powered workplace solutions, Carlos has helped businesses in government, healthcare, and enterprise sectors streamline workflows and improve efficiency.
He holds Microsoft certifications in Power Platform and Azure and regularly shares practical guidance on Copilot readiness, data strategy, and AI adoption.
Sources
Recent Posts
Popular Categories
Archives