Texas AI Compliance & Responsible AI Governance: Risk Assessment Guide

Introduction

Most boards still treat AI governance as a technical concern — something the IT or data science team handles. That changes on January 1, 2026.

On June 22, 2025, Governor Abbott signed HB 149 (the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA) into law. It applies to every organization that builds, deploys, or sells AI systems touching Texas residents.

This isn't a voluntary framework or industry best practice. It's enforceable law with civil penalties reaching $200,000 per uncurable violation.

What makes TRAIGA distinctive is its intent-based liability standard. Regulators will scrutinize not only what your AI produced, but how it was designed and governed from the start. That places AI risk squarely on boards and executive teams — not just technical staff.

This guide walks compliance leaders, boards, and C-suite executives through what TRAIGA prohibits, who it reaches, and how to build a risk assessment framework that holds up under Attorney General enforcement.

TL;DR

  • TRAIGA takes effect January 1, 2026 and applies to any organization whose AI touches Texas residents — regardless of where you're headquartered
  • Liability is intent-based: design documentation is your primary legal defense, not just clean outputs
  • Six specific AI practices are prohibited, with penalties up to $200,000 per uncurable violation
  • NIST AI RMF alignment creates a rebuttable presumption of reasonable care — your strongest structural affirmative defense
  • Boards need documented AI oversight now — passive awareness isn't enough under this standard

What TRAIGA Is and Why It Demands Attention Now

TRAIGA (HB 149) is a comprehensive state-level AI regulation signed June 22, 2025, effective January 1, 2026. The Texas Attorney General has exclusive enforcement authority. There is no private right of action — affected individuals cannot sue you directly, but the AG can and will.

How TRAIGA Differs From Other AI Frameworks

Most state and international AI laws use tiered risk classifications. TRAIGA does not. Rather than ranking AI systems by risk level and imposing graduated requirements, it identifies specific prohibited practices and applies an intent-based liability standard across them.

The operative language throughout TRAIGA uses phrases like "intentionally aims," "with the intent," and "with the sole intent." This shapes your governance strategy directly: your organization must demonstrate that AI was designed to avoid prohibited outcomes — not merely that bad outcomes didn't happen.

That distinction puts intent documentation at the center of your compliance posture, not incident response.

The Federal Preemption Question

A 10-year federal moratorium on state AI laws was proposed but stripped from the final federal budget bill. The Senate voted 99-1 to remove it, and H.R.1 was signed into law on July 4, 2025 without that provision.

Prepare for TRAIGA as written. The governance infrastructure you build now gives your board defensible documentation regardless of how federal law develops:

  • AI inventory — a complete record of systems in scope and their intended functions
  • Intent documentation — design-level evidence that prohibited outcomes were actively avoided
  • NIST alignment — a recognized framework that supports consistent, auditable oversight

Who Must Comply: TRAIGA's Reach

TRAIGA applies to any person or entity that:

  • Promotes, advertises, or conducts business in Texas
  • Produces a product or service used by Texas residents
  • Develops or deploys an AI system within the state

Geographic headquarters is no shield. An out-of-state or international organization whose AI is accessible to Texas users falls squarely within scope.

Key Exemptions

TRAIGA does include limited carve-outs:

Sector Exemption Scope
Insurance Entities regulated by the Department of Insurance under applicable anti-discrimination statutes
Financial institutions Federally insured institutions compliant with federal and state banking laws — deemed compliant with the unlawful-discrimination provision
Biometric data for AI training Excluded, unless the system is later used to uniquely identify a specific individual

The biometric training carve-out disappears the moment your system is used for commercial identification. Document your use cases clearly and revisit scope any time your AI's purpose expands.

One other point boards and executives should register: TRAIGA includes no small-business, revenue, or employee-count exemptions. If your AI touches Texas users, the law applies regardless of company size.

The Six Prohibited AI Practices: Mapping Your Exposure

TRAIGA identifies six categories of prohibited AI conduct. Some apply to any person or entity; two are government-specific but still affect private-sector organizations that supply AI to government agencies.

Prohibition Scope Intent Standard
Behavioral manipulation: inciting self-harm, harm to others, or criminal activity Any person Design documentation must show absence of this intent
Unlawful discrimination: deploying AI to discriminate against protected classes Any person Disparate impact alone is insufficient; intent must be shown
Social scoring: evaluating individuals based on social behavior producing unjust treatment Governmental entities Shapes public-sector AI vendor landscape
Biometric identification: using AI to uniquely identify individuals via biometric data without consent Governmental entities Private vendors supplying government AI face downstream exposure
Constitutional rights infringement: deploying AI with the sole intent to infringe U.S. Constitutional rights Any person "Sole intent" is the operative threshold
Unlawful sexual content: developing or distributing AI to produce CSAM, deepfake sexual content, or AI simulating sexual conduct while impersonating a minor Any person No intent gradation — strict prohibition

Six TRAIGA prohibited AI practices mapped by scope and intent standard

Exposure Mapping Exercise

Before your next risk assessment, build a simple matrix:

  1. List every AI system your organization uses or deploys
  2. Map each system against the six categories above
  3. Add a column for documentation status (complete, partial, absent)
  4. Flag any system touching Texas residents with incomplete documentation

That matrix feeds directly into the formal risk assessment process covered next.

Conducting a TRAIGA AI Risk Assessment

Step 1: AI System Inventory

Identify every AI system that touches Texas residents or operates within the state — including third-party and vendor-supplied tools your organization deploys. For each system, document:

  • Intended use and authorized deployment decision
  • Data inputs and outputs
  • What decisions or recommendations it influences
  • Whether it operates in a high-exposure sector (healthcare, employment, lending, housing, or education)

Third-party tools matter. If you deploy it, you own the exposure.

Step 2: Risk Classification by Exposure Category

Map each inventoried system against TRAIGA's six prohibited practice categories. Flag elevated-exposure systems operating in sectors that affect individual rights and access to services. Systems carrying heightened scrutiny potential include:

  • Healthcare AI making treatment suggestions
  • Hiring tools screening candidates
  • Lending models affecting credit access

Step 3: Intent Documentation as Legal Defense

Under TRAIGA's intent-based standard, documentation is your primary defense. For each AI system, build and maintain records covering:

  • Design intent — what the system was built to do and explicitly not do
  • Bias testing conducted — methodology, date, results
  • Known limitations — acknowledged gaps documented before deployment
  • Operational controls — guardrails, human oversight points, escalation procedures
  • Post-deployment monitoring — ongoing review results and any remediation taken

The absence of documentation is itself a risk signal to regulators. When the AG reviews a civil investigative demand, this record is the first thing examined. If it doesn't exist, the inference isn't favorable.

Step 4: Disclosure Gap Analysis

Assess which AI systems require consumer-facing disclosure under TRAIGA. Government agencies and healthcare providers face explicit obligations under the statute. Private-sector organizations in high-risk domains should evaluate proactively rather than wait for enforcement to define the line.

Where disclosures are required, verify they are clear, written in plain language, and free of deceptive patterns — waiting for an enforcement action to define adequacy is not a defensible posture.

Step 5: NIST AI RMF Alignment

TRAIGA's Section 552.105 creates a rebuttable presumption of reasonable care for organizations that substantially comply with the NIST AI Risk Management Framework — specifically the Generative AI Profile. This alignment also serves as an affirmative defense in enforcement actions.

The NIST AI RMF Core operates across four functions:

  • Govern — establishes organizational AI risk governance structures, policies, and culture
  • Map — frames context and identifies AI risks across the system lifecycle
  • Measure — assesses, analyzes, and monitors AI risks and impacts
  • Manage — prioritizes and treats risks identified through mapping and measurement

NIST AI RMF four core functions govern map measure manage cycle diagram

Operationally, NIST alignment means documented governance structures, named accountability for AI risk, repeatable risk identification processes, and evidence of ongoing monitoring. It is a sustained posture, not a one-time certification.

Organizations without dedicated AI governance resources may need outside support to build this framework before the January 2026 deadline. Tyson Martin works with boards and executive teams on exactly this: AI risk assessments, decision-rights maps, and board-level oversight reporting aligned with NIST AI RMF.

Board and Executive AI Governance Obligations Under TRAIGA

Define Decision Rights Before Enforcement Does It For You

Boards must establish which AI risk decisions require board or committee approval versus management delegation — and document those thresholds. Without clear decision rights, both oversight accountability and management execution suffer under regulatory scrutiny.

Specific questions the board should answer and record:

  • What AI risk decisions require board approval?
  • What are the escalation thresholds for AI incidents?
  • Who has authority to accept AI risk exceptions, and under what conditions?

Structure AI Risk Reporting for the Board

Board-level AI risk briefings should be in plain language, not technical outputs. A useful reporting structure includes:

  • Which systems carry prohibited practice exposure and what mitigation is underway
  • Where NIST alignment stands and what remains outstanding
  • Current disclosure compliance status across required and proactive disclosures
  • Any active AG complaints or investigations and their current status

Board-level AI risk reporting structure four key oversight areas checklist

Trend reporting is more useful than snapshots. Boards need to know whether risk is increasing or decreasing rather than where it sits at a single point in time.

Assign Named Executive Accountability

Designate a specific executive (CISO, Chief Risk Officer, or equivalent) with authority and accountability for AI governance across business units and vendor relationships. Boards should confirm this role has the organizational standing and resources to enforce AI risk policies.

Build a Defensible Paper Trail

Board minutes, risk committee records, and documented AI risk decisions must demonstrate active oversight rather than passive awareness. Under an intent-based liability standard, the board's documented engagement with AI risk governance is itself evidence of organizational intent to operate responsibly.

Boards that have gone through structured AI governance reviews with Tyson Martin's NACD advisory work consistently produce records that hold up to external scrutiny — because the process is designed from the start for that purpose.

Monitor the Texas AI Council and Sandbox

TRAIGA creates the Texas Artificial Intelligence Council, attached administratively to the Texas Department of Information Resources, to guide ethical AI development and make legislative recommendations.

TRAIGA also establishes a regulatory sandbox program allowing approved participants to test innovative AI systems without certain licenses or regulatory authorizations, for up to 36 months with possible extension. Participants must submit quarterly performance and risk mitigation reports to DIR. TRAIGA's Chapter 552 prohibitions cannot be waived under the sandbox, so confirm those constraints against your specific use cases before pursuing this path.

Enforcement, Penalties, and Safe Harbor

Penalty Structure

Violation Type Penalty Range
Curable violation $10,000 – $12,000 per violation
Uncurable violation $80,000 – $200,000 per violation
Continuing violation $2,000 – $40,000 per day

TRAIGA civil penalty structure three violation types with dollar ranges

The AG must provide 60 days written notice before filing suit on a curable violation. To cure, an organization must provide:

  • A written statement confirming the violation was remediated
  • Supporting documentation showing how it was addressed
  • Evidence of internal policy changes to prevent recurrence

Understanding the AG's Enforcement Posture

The Texas OAG launched a Data Privacy and Security Initiative in June 2024. Public records confirm at least one TDPSA-specific lawsuit (Allstate/Arity, January 2025) and additional AG civil investigative demands in privacy and data-security matters. The AG has demonstrated willingness to use every available enforcement tool, and TRAIGA adds significant new ones to that arsenal.

Building Layered Safe Harbor Defenses

Don't rely on a single defense. Build multiple layers:

  1. Document NIST AI RMF alignment: creates the rebuttable presumption of reasonable care under Section 552.105
  2. Preserve internal review records: the affirmative defense path requires showing the violation was discovered through internal processes, not external enforcement
  3. Maintain audit trails: the AG can issue civil investigative demands requesting AI system descriptions, data inputs and outputs, metrics, limitations, monitoring records, and safeguards; your audit trail should be accessible and organized before that demand arrives
  4. Demonstrate no prohibited intent: your design documentation, testing records, and governance records collectively establish this case

Frequently Asked Questions

What is TRAIGA and when does it take effect?

TRAIGA is the Texas Responsible Artificial Intelligence Governance Act (HB 149), signed by Governor Abbott on June 22, 2025, effective January 1, 2026. It creates enforceable AI governance obligations — including specific prohibited practices and civil penalties — for organizations building, deploying, or selling AI that affects Texas residents.

Does TRAIGA apply to my organization if we are headquartered outside of Texas?

Yes. TRAIGA applies to any entity that produces a product or service used by Texas residents or deploys AI accessible to Texas users — regardless of where the organization is headquartered. Geographic location provides no exemption.

What is the difference between prohibited AI uses and high-risk AI under TRAIGA?

TRAIGA does not use a tiered risk classification system like the EU AI Act. Instead, it identifies a specific set of prohibited practices that apply broadly to any person conducting business in or serving Texas residents, rather than imposing requirements based on risk level.

How does aligning with the NIST AI Risk Management Framework protect my organization under TRAIGA?

Substantial compliance with the NIST AI RMF (specifically the Generative AI Profile) creates a rebuttable presumption of reasonable care under TRAIGA Section 552.105. Documented alignment is the most defensible compliance strategy the statute provides.

Can individuals or competitors sue my company for TRAIGA violations?

No. TRAIGA explicitly provides no private right of action. Only the Texas Attorney General has enforcement authority, meaning civil litigation from affected individuals or competitors is not a risk under this statute — but AG enforcement is.

What should boards do right now to prepare for TRAIGA compliance before January 2026?

Start with four actions:

  • Commission an AI system inventory
  • Assign named executive accountability for AI governance
  • Begin NIST AI RMF alignment
  • Add AI risk reporting to the board oversight cadence

Under TRAIGA's intent-based standard, documentation is the compliance posture. Every step needs a paper trail.