On May 14, 2026, Colorado Governor Jared Polis signed SB 26-189, repealing and replacing the Colorado AI Act (SB 24-205) before it ever took effect. The original 2024 statute — the first comprehensive state AI law in the United States — was built around a 'high-risk AI system' category and imposed a duty to use reasonable care to prevent algorithmic discrimination, mandatory risk-management programs, and impact assessments. The replacement drops all three. In their place sits a narrower disclosure-and-transparency regime governing 'automated decision-making technology' in 'consequential decisions,' effective January 1, 2027.
The reversal matters far beyond Colorado. It is the most concrete evidence yet that the EU-style, pre-emptive 'classify-and-audit' model of AI regulation is harder to operationalize than its drafters assumed — and it lands at the exact moment India is being asked whether its conspicuously lighter approach was wisdom or abdication.
The strongest case for what Colorado abandoned
The original Colorado AI Act was not a thoughtless overreach, and it deserves a fair hearing. Algorithmic systems already gate access to credit, housing, insurance, and jobs. When a model trained on biased data quietly denies a mortgage or screens out a qualified applicant, the harm is real, diffuse, and almost impossible for the individual to detect — let alone contest. SB 24-205's logic was that the party deploying the system, not the consumer, is best placed to find and fix that bias, so the law placed an affirmative duty of care and documentation on developers and deployers. That is a defensible allocation of responsibility, and the discrimination it targets is not hypothetical.
The problem was never the goal. It was the machinery. Defining 'high-risk' systems ex ante, mandating standardized impact assessments, and creating a duty of 'reasonable care' against a harm with no settled measurement standard generated enormous compliance uncertainty for every business touching the technology — including small ones that build nothing and merely use a vendor's tool. Polis flagged exactly this when he signed the original bill in 2024, urging the legislature to refine it before it bound anyone. The legislature ultimately concluded the framework could not be refined; it had to be rebuilt. SB 26-189 keeps the consumer-facing protections that are cheap and verifiable — notice that you are interacting with AI, disclosure within 30 days of an adverse outcome, data correction, and a right to meaningful human review — and discards the speculative governance apparatus.
What India chose instead
India arrived at a similar destination by refusing to take Colorado's first path at all. In November 2025, MeitY released the India AI Governance Guidelines under the IndiaAI Mission. The framework explicitly declines to enact a new AI-specific law, instead relying on existing instruments — principally the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 — supplemented by voluntary commitments, regulatory sandboxes, and an AI Governance Group chaired by the Principal Scientific Adviser. IT Secretary S. Krishnan put it plainly: India 'has consciously chosen not to lead with regulation but to encourage innovation while studying global approaches,' relying on existing laws 'rather than rush into new legislation.'
Crucially, India did not choose deregulation; it chose to regulate through instruments that already exist and already work. The DPDP Rules, notified on November 13, 2025, carry transparency obligations around automated decision-making and become substantively enforceable by May 14, 2027 — addressing much of the same consequential-decision territory Colorado is now legislating, but inside a data-protection statute rather than a bespoke AI regime. India keeps human accountability central, declines to grant AI legal personhood, and plans to calibrate future rules against a national AI incident database rather than against theoretical risk tiers.
Colorado's retreat is a real-world stress test that India's bet has, so far, passed. Both jurisdictions have converged on the same operative principle: regulate observable outcomes and disclosures, not abstract system categories. Proportionate, evidence-based, technology-neutral rules built on existing law are proving more durable than first-of-their-kind frameworks that try to anticipate every harm in advance.
The delivery gap is the real risk
Vindication on regulatory philosophy is not the same as success, and here India should be honest with itself. A light-touch model only protects citizens if the state actually builds the capacity it promised in lieu of hard rules — sandboxes that function, an incident database that is populated, and an AI ecosystem strong enough that domestic firms have a stake in responsible behavior. On that score, the record is uneven. The IndiaAI Mission was approved with a five-year outlay of ₹10,372 crore and a plan for more than 10,000 GPUs, yet by April 2026 only a small fraction had reportedly been disbursed. Light-touch governance financed by a heavy-handed under-spend is the worst of both worlds: neither the guardrails of regulation nor the capability of investment.
The deeper opportunity is talent and infrastructure, not statute. Indian-origin AI researchers are increasingly looking homeward as Silicon Valley's pull weakens, and compute scarcity is pushing genuine infrastructure innovation across India, Brazil, and the UAE. That is the dividend a non-prescriptive regime is supposed to capture. Colorado has just demonstrated that you can always tighten a light regime when evidence demands it — the replacement law is proof that course-correction is normal, not failure. The harder thing to reverse is a missed buildout. India was right not to over-regulate first. It will be judged on whether it actually delivers second.