Modeling the Colorado AI Act in ObligationFirst: A Worked Example

Last week we announced ObligationFirst, an open schema for representing legal obligations in a form agents can reason about. The natural follow-up question is: does the schema hold up on a hard case. This post answers that question with the hardest live case we have — the Colorado AI Act.

The short version: it holds up. The longer version is the rest of this post.

We covered the regulatory moment that prompted this post — the Colorado rewrite and the EU AI Act delay, and what both mean for your compliance posture — in our blog post and video last Friday.

Why Colorado Is the Pressure Test

Two years ago, the Colorado AI Act (SB 24-205) was widely treated as the most important AI governance law in the United States. The first general-purpose AI governance statute, with a duty of reasonable care to prevent algorithmic discrimination, broad developer liability, impact assessments, and coverage of high-risk systems.

As of this month, almost none of that is on track to take effect.

Michael Simon's "It's the Final Countdown for the Colorado AI Act" lays out the situation in detail. The short read: a second gubernatorial working group, hundreds of industry lobbyists, an EO targeting state AI laws, a federal lawsuit by xAI, DOJ intervention, the Colorado Attorney General joining the motion to enjoin, a court stay of enforcement, and a replacement bill (SB 26-189) signed by the governor on May 14 that the original sponsor calls "more of a notice bill." The substantive components — algorithmic discrimination duty, developer liability, impact assessments, high-risk coverage — are stripped. What remains is a narrower regime: consumer notice at point of interaction, post-adverse-outcome explanations within 30 days, consumer rights to data correction and human review, developer documentation obligations, and 3-year record retention. Effective date: January 1, 2027.

A regulated firm reading both bills today cannot easily answer the question that matters: "What do I actually have to do on January 1, 2027?" The text is technically available, but the duty is fragmented across an original act, two prior amendment efforts, a working-group output, a federal complaint, a DOJ intervention, an AG joint motion, a court order, and a replacement bill signed May 14, 2026 (just after our announcement). The likely answer for many operators is "nothing meaningful is owed," but you cannot reach that answer without holding all those artifacts in your head simultaneously.

This is exactly the failure mode ObligationFirst is built to prevent.

The Obligation, Modeled

Here is one obligation from the surviving consumer notice duty in SB 26-189, expressed in ObligationFirst form. The field names are condensed for readability; the production schema includes provenance, versioning, and confidence metadata on every value.

obligation_id: us-co-aiact-2024-205-notice-001
jurisdiction: US-CO
actor:
  role: deployer
  scope: AI system making a consequential decision concerning a consumer
action:
  type: notice
  description: >-
    Notify the consumer that they are interacting with an AI system
    in the context of a consequential decision
condition:
  trigger: consequential_decision
  applies_when: deployer_uses_ai_system_for_decision_affecting_consumer
deadline:
  effective_date: 2027-01-01
  notice_timing: at_or_before_interaction
authority:
  primary: CO-SB-26-189
  status: enacted
  signed_date: 2026-05-14
  supersedes: CO-SB-24-205
  partial_predecessors:
    - CO-SB-24-205 (algorithmic-discrimination duty — removed)
    - CO-WG-2025-Q4 (working group output — informational)
record_keeping:
  required: true
  retention_years: 3
  scope: all_compliance_records
exceptions:
  cure_period_available_until: 2030-01-01
enforcement:
  enjoined: true
  injunction_scope: CO-SB-24-205
  injunction_authority: CO-AG-joint-motion-2026
  note: >-
    Injunction covers SB 24-205; xAI has 28-day window from 2026-05-14
    to file against SB 26-189 (~deadline 2026-06-11). SB 26-189 not yet
    separately enjoined.
provenance:
  - publedge://us-co/sb-24-205
  - publedge://us-co/sb-26-189
  - publedge://us-co/ag-joint-motion-2026-04
  - publedge://us/xai-v-co-complaint-2026

A few things to notice about this record.

The actor field names a role, not a list of companies. A regulated firm asking "is this me" can answer the question by matching its own role against the schema field, not by reading a paragraph of statutory prose and hoping the model interpreted "deployer" the way the legislature meant it.

The authority chain is explicit. The current effective text is SB 26-189. The act it supersedes is SB 24-205. The components that were stripped — the algorithmic discrimination duty, the impact assessment requirement, the high-risk coverage — are not silently deleted. They live as separate obligation records in the schema with status: superseded and a pointer to the artifact that superseded them. A litigant arguing about events that occurred while the older duty was on the books still needs that record. So does a historian, a future regulator, and any firm that operated under the older interpretation.

The enforcement field captures the live legal reality: the act is enjoined. An agent querying "what must I do today" gets a different answer than an agent querying "what is on the books." Both queries are valid. Both are now answerable in seconds.

The provenance field points at PubLedge identifiers for the underlying authority artifacts — the statutes themselves, the joint motion, the xAI complaint. Those documents do not live inside ObligationFirst. They live in a durable civic record that the schema cites. If the AG retracts the joint motion next month, the citation breaks predictably and the schema can flag the affected record.

What the Schema Surfaces About the Law

Modeling the Colorado AI Act in ObligationFirst surfaces something the prose obscures. When you look at the structured record for the algorithmic discrimination duty, the action field is hollow — superseded, no current successor. When you look at the new consumer notice obligation, the action is "send a notice." That is the entire substantive duty.

Senator Rodriguez's own characterization — "more of a notice bill" — becomes self-evident the moment the obligations are typed. The prose makes the gutting feel like a negotiation. The schema makes it visible at a glance. Machine-legibility turns out to be a form of accountability.

This is not unique to Colorado. Any law that has been quietly weakened through amendment cycles looks different once its obligations are typed. That is part of the point.

How the Schema Handles Churn

Three design choices in ObligationFirst do most of the work here.

First, obligations are first-class records with stable identifiers. The duty of reasonable care under SB 24-205 has its own ID and remains in the graph after supersession. Nothing is overwritten in place.

Second, supersession is a relation, not a deletion. When SB 26-189 takes effect, the schema marks the older obligations superseded_by with a pointer to the new record. Queries can be filtered by date range, so "what was in effect on March 1, 2026" returns a different answer than "what is in effect on March 1, 2027."

Third, enforcement state and authority state are separate fields. An obligation can be on the books and enjoined at the same time. The schema represents that without forcing a single yes/no answer.

These choices are not novel in isolation. Prior machine-readable-law efforts have tackled similar problems for adjacent audiences. What is new is that all three are wired together for an agent that needs to plan an action against a current state of the law, not for a human reading a database.

What This Proves

The Colorado AI Act is the messiest live obligation in US AI law right now. If the schema sustains this case — and the worked example shows that it does — it sustains the ordinary cases by a comfortable margin. Most statutes are stable text with occasional amendments. The model behavior under the hard case demonstrates that the model behavior under the easy case is not where the risk sits.

The pressure test was the point. The worked example is now in the ObligationFirst repository, with the full structured records, the supersession chains, and the PubLedge citations to the underlying artifacts.

What This Means for PAICE

PAICE measures AI collaboration effectiveness in professional settings. The behavioral question it asks — does this person catch errors, adapt to new information, navigate ambiguity with an AI tool in the loop — turns out to be jurisdiction-sensitive in regulated industries.

A compliance professional subject to SB 26-189 faces specific, concrete tasks: deliver consumer notice at point of interaction, issue a plain-language explanation within 30 days of an adverse outcome, handle correction requests, route human review requests, maintain 3-year compliance records. Those are not abstract governance concepts. They are workflows. Whether the person responsible for them can collaborate effectively with AI to execute them is exactly what PAICE measures.

What ObligationFirst adds is the ability to keep that measurement current. When the Colorado AI Act changed — and it changed substantially, in the span of one session — the obligations changed. A PAICE assessment scenario calibrated to the old SB 24-205 duty of reasonable care does not describe the world the regulated professional will wake up in on January 1, 2027. One tied to the SB 26-189 obligation record does.

This matters on both sides of the regulated relationship. Regulators benefit from knowing whether the people and organizations they oversee are equipped to operate AI responsibly — not just whether a policy document exists. Regulated firms benefit from knowing which of their people can navigate a dynamic obligation landscape as it actually evolves, not as it was understood when the last compliance training ran.

The schema is the foundation. The assessment is what makes it actionable for individual professionals.

Try It. Contribute. Send Us the Next Hard Case.

If you work in a regulated industry and you have a law you cannot pin down — a statute that has been amended into ambiguity, an enforcement posture that contradicts the text, a duty that everyone treats as theoretical because no one knows what it concretely requires — that is the next worked example we want. Open the schema. Look at how the Colorado AI Act is modeled. Tell us where your hard case looks the same and where it looks different.

The schema is public. The worked examples are open. The pressure tests are how this becomes load-bearing.

Want to understand your own readiness profile? Take the PAICE assessment to discover your strengths and opportunities.