By the Shadow AI Policy team
The week of May 12–21, 2026 delivered a dense slate of AI governance news that directly affects how employers, HR teams, and legal departments need to think about AI use in the workplace. Three separate legislative developments — two domestic, one transatlantic — all moved within days of each other, and on May 19 the EU published guidance that compliance teams should be reading right now.
This week's briefing covers four stories: Colorado's signed rewrite of its landmark AI employment law (and the federal lawsuit that's put enforcement on ice), Connecticut passing one of the country's most employer-facing AI statutes, the EU AI Act's "Digital Omnibus" political agreement that reshuffled compliance deadlines, and the European Commission's May 19 publication of draft high-risk AI classification guidelines open for public comment through June 23. Here's what happened and what it means for your organization.
If you use any AI tool in hiring, promotion, compensation, or performance management — even a resume screener or scheduling assistant — audit that tool against Colorado SB 26-189 and Connecticut SB 5 now. Both laws take effect in 2026–2027, both enforcement clocks are running, and both focus specifically on employment decisions. Don't wait for your state to act; these laws are already being watched as national templates.
What happened: Colorado Governor Jared Polis signed Senate Bill 26-189 (SB 189) on May 14, 2026, substantially revising the state's landmark Colorado Artificial Intelligence Act (SB 205) — the first U.S. law imposing broad obligations on developers and deployers of "high-risk" artificial intelligence (AI) systems. The original law was set to take effect June 30, 2026, but never made it there. The Colorado General Assembly passed the bill one day before the end of the 2026 legislative session, and the governor signed it less than two months before the previously enacted law was due to go into effect — ending a nail-biting period for employers who did not know whether to proceed with compliance implementation.
What changed: SB 189 removes many of the hallmarks of the Colorado AI Act — such as a duty of care, risk management programs, and impact assessments — in favor of a disclosure-based framework with limited rights in narrow circumstances. The updated law applies to automated decision-making technology (ADMT) that materially influences "consequential decisions" in specified domains such as employment, lending, housing, insurance, healthcare, education, and government. For employers specifically, the law now requires employers to provide a plain-language description of the adverse consequential decision and the role the automated tool played in it within 30 days of a decision.
The federal wildcard: Even the new law is in legal limbo. On April 9, 2026, Elon Musk's xAI filed suit in the U.S. District Court for the District of Colorado challenging the constitutionality of SB 24-205. On April 24, 2026, the U.S. Department of Justice moved to intervene in support of xAI — marking the first time the federal government has sought to invalidate a state AI law. The Colorado Attorney General has stated he does not intend to enforce SB 24-205 or any legislation replacing or amending it — including SB 26-189 — until after the rulemaking process has concluded. In practical terms, the Colorado AI Act is on hold with no firm enforcement date.
What to do: Don't treat the enforcement stay as a green light to ignore Colorado. The updated law requires mandatory AG rulemaking that could result in additional requirements or modifications. The new law adds sector-specific accommodations for HIPAA-covered entities, insurers and creditors, as well as FERPA-covered educational institutions and FDA-regulated medical devices. If you operate in any of those sectors, read the law carefully with counsel. Track the litigation. And use this window to document which AI tools influence hiring, compensation, or other consequential decisions — because that inventory will be required under any version of this law. Read the full text of Holland & Knight's SB 189 analysis.
What happened: On May 11, 2026, the Connecticut General Assembly passed Senate Bill 5, and Governor Lamont is expected to sign it into law. The bill, formally the Connecticut Artificial Intelligence Responsibility and Transparency Act, is a wide-ranging "online safety" and artificial intelligence (AI) bill with several provisions that directly affect hiring and employers. The bill passed the House 131 to 17 and the Senate 32 to 4.
What it requires from HR teams: SB 5 sets disclosure and notice requirements for employers that deploy automated tools in recruiting or personnel decisions, clarifies that using such tools is not a defense to discrimination claims, creates whistleblower-style protections and internal reporting obligations for certain high-end AI developers, and adds an AI-related disclosure to WARN notices filed with the Connecticut Department of Labor. The anti-discrimination angle is especially significant: the bill amends Connecticut's anti-discrimination statutes to codify that automated decision-making is not a defense to a discrimination claim, going further than any other state, while allowing courts to consider proactive anti-bias testing as a mitigating factor.
Key dates for employers: The law has staggered effective dates. Starting October 1, 2026: the automated employment-related decision technology framework takes effect; "AI is not a defense" amendments to anti-discrimination statutes become effective; frontier developer whistleblower provisions take effect; and the WARN AI/technology-change disclosure requirement begins. The interactive disclosure and pre-decision notice obligations for automated employment-related decision technology apply from October 1, 2027. The Attorney General is the exclusive enforcer for the automated employment sections, with an optional 60-day cure period available for violations occurring on or before December 31, 2027.
What to do: October 1, 2026 is roughly 19 weeks away. Employers should launch a cross-functional workstream that inventories automated decision tools, maps decision points, and identifies where SB 5's disclosures and notices must be layered into recruiting and HR workflows. Even if you're not based in Connecticut, if you hire Connecticut residents, the law applies to you. Review the full law breakdown from Littler Mendelson. You can also generate a tailored AI policy kit to document your current AI tool usage before these deadlines arrive.
What happened: On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The amendments are expected to proceed through formal adoption in the coming months, with final approval anticipated in June and publication expected in July.
What changed on deadlines: The most noteworthy change is the staggered deferral of certain compliance deadlines. For Annex III high-risk AI systems (use-based), obligations are postponed from 2 August 2026 to 2 December 2027 — a deferral of 16 months. That's important because Annex III use cases include biometrics, critical infrastructure, education, employment, and law enforcement. If your company uses AI in any of those categories and sells or operates in the EU, you got more runway — but not a free pass. Although the Agreement still requires formal adoption, companies offering or using AI systems in the EU should begin aligning their compliance programs with the new framework.
New prohibitions added: The Omnibus didn't just loosen timelines — it also added new bans. Among the most visible changes is the introduction of a prohibition on the use of AI systems to generate or manipulate non-consensual intimate material. The prohibition — taking effect on 2 December 2026 — amends Article 5 of the AI Act. Violations may result in fines of up to €15 million or 3% of total annual worldwide turnover, whichever is higher.
What to do: Don't assume the deadline extensions mean you can pause EU AI Act work. The core requirements and obligations remain substantively unchanged. If you have European operations or sell to EU customers, map your AI systems against Annex III now using the new extended deadlines as a planning horizon — not an excuse to delay. Read the Council's official agreement at consilium.europa.eu.
What happened: On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk artificial intelligence systems under the EU AI Act and launched a public consultation open until June 23, 2026. The publication follows a delay from the Commission's original timetable — guidance on high-risk classification had initially been expected by February 2, 2026, ahead of the EU AI Act's original compliance milestones for high-risk systems.
Why this matters for compliance teams: The draft guidelines, issued under Article 6(5) of the EU AI Act, are intended to assist providers, deployers and market surveillance authorities in determining whether an AI system falls within a high-risk category under Article 6 of the EU AI Act. The practical significance is high: for anyone working on AI governance or compliance, this is the most important interpretative document since the AI Act itself entered into force. The guidelines finally answer a question many organisations have been grappling with: when exactly does my AI system qualify as high-risk?
Scope of the guidelines: The drafts cover (i) general principles for high-risk classification, (ii) classification under Article 6(1) and Annex I (AI as a product or safety component of a regulated product), and (iii) classification under Article 6(2) and Annex III (the eight use-case categories). One key nuance for employers: under Article 6(3)'s "filter mechanism," certain systems falling within Annex III use cases are exempt if they do not materially influence decision-making, such as where they only perform narrow procedural tasks or improve the result of a previous human activity — but the guidance stresses that this exception must be interpreted narrowly and does not apply, for example, to systems performing profiling.
What to do: The draft guidelines have been published for public consultation, with feedback invited from stakeholders including AI providers and deployers, businesses, public authorities, academia, and civil society. The consultation is open until June 23, 2026. The Commission emphasizes that the draft guidelines are not legally binding — but they will become the interpretive baseline that regulators use for enforcement. If you use AI in any EU employment, lending, or educational context, read the guidelines and assess where your tools land. Access the consultation directly at digital-strategy.ec.europa.eu.
The table below compares the four most active AI employment compliance frameworks affecting U.S. employers — as of May 21, 2026.
| Jurisdiction / Law | Covers Employment AI? | Key Employer Obligation | First Enforcement Date | Enforcement Status |
|---|---|---|---|---|
| Colorado SB 26-189 | Yes — hiring, compensation, HR decisions | 30-day plain-language adverse decision notice; point-of-use disclosure | Jan 1, 2027 (after AG rulemaking) | Stayed — no enforcement date confirmed |
| Connecticut SB 5 (AIRT Act) | Yes — hiring, promotion, discipline, WARN Act | Disclose AI use to applicants/employees; AI is not a discrimination defense | Oct 1, 2026 (developer/deployer rules) | Pending governor signature; expected to sign |
| NYC Local Law 144 | Yes — automated employment decision tools | Annual bias audit; candidate notice before use | In effect since July 5, 2023 | Active — NYC DCWP enforcing |
| EU AI Act — Annex III | Yes — employment AI is explicitly listed as high-risk | Risk management, data governance, human oversight, transparency documentation | Dec 2, 2027 (post-Omnibus deferral) | Draft classification guidelines out now; comment by Jun 23, 2026 |
If you use any AI tool that scores, ranks, screens, or makes recommendations about job candidates or current employees, you're in scope for at least two of the four frameworks covered this week. Connecticut's law takes effect for some employer obligations in October 2026 — that's less than five months away. Colorado's law is stayed but will likely be enforced after rulemaking. Start with a simple inventory: list every AI or automated tool your HR team uses, note what decisions it influences, and review what disclosure you currently give to candidates or employees. That inventory is the foundation for compliance under every state law currently in play.
Yes, if you haven't already. Connecticut's October 1, 2026 deadline is the most imminent hard date for employers this week. You'll need to document which automated tools you deploy in hiring or employment decisions, update any vendor agreements to secure compliance information from AI developers, and put a plain-language disclosure workflow in place. Colorado's law is stayed but rulemaking is coming — building your policy infrastructure now saves duplication of work later. If you don't have a written AI acceptable use policy that addresses how employees and HR teams use AI tools, that gap becomes a compliance liability as more states activate enforcement.
Connecticut SB 5 explicitly amends the state's anti-discrimination statutes to clarify that the fact a hiring or employment decision was made by, or with the assistance of, an automated system cannot be used as a legal defense against a discrimination claim. This is a significant shift: it closes a potential argument that "the algorithm decided, not us." Courts and agencies may consider evidence of proactive bias testing as a mitigating factor, which means documenting your bias-testing efforts — ideally before a tool goes live — is now directly relevant to legal exposure in Connecticut. Other states are watching this provision closely.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →