The law evolved from a sweeping proposal (HB 1709) modeled on the EU AI Act into something more targeted, but don't let the scaled-back scope mislead you. TRAIGA still carries penalties up to $200,000 per violation, gives the Attorney General broad investigative authority, and defines "AI system" broadly enough to cover tools most enterprises already use.
This article is written for executives, board members, general counsel, and risk leaders — not for attorneys parsing statutory language. The goal is straightforward: understand what changed, what it costs to get it wrong, and what to do before the deadline.
TLDR: Key Facts at a Glance
- Effective date: January 1, 2026
- Applies to any company doing business in Texas, serving Texas residents, or deploying AI there, regardless of where it's headquartered
- Prohibits behavioral manipulation, unlawful discrimination, rights violations, and CSAM/deepfake content
- Disclosure duties apply to government agencies and healthcare providers only — not private employers
- Enforcement: Texas Attorney General exclusively; no private lawsuits
- Penalties: $10,000–$200,000 per violation; up to $40,000 per day for continuing violations
- Safe harbor: Alignment with NIST AI RMF can serve as an affirmative defense
What Is TRAIGA and Who Does It Apply To
The Law in Plain Terms
TRAIGA is a Texas state law regulating how AI systems are developed and deployed. The original bill (HB 1709) would have imposed EU AI Act-style obligations on private companies: algorithmic impact assessments, mandatory risk policies, disclosure to job applicants. As K&L Gates has noted, the final statute strips most of that out.
What remains is narrower but still consequential: specific prohibited uses, disclosure duties for government agencies and healthcare providers, and AG-led enforcement with real penalty exposure.
The AI Definition Is Broader Than You Think
The statute defines an AI system as:
"Any machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments."
That language covers far more than ChatGPT or image generators. Under this definition, covered systems likely include:
- Recommendation engines (e-commerce, content, financial)
- Predictive analytics and automated decisioning tools
- Virtual assistants and customer service bots
- Fraud detection and credit scoring models
- Facial recognition and biometric verification systems
- Hiring screening or workforce management tools
If your organization operates in retail, financial services, or healthcare, you almost certainly have systems that qualify — whether or not you think of your company as an "AI company."
Who TRAIGA Covers
TRAIGA applies to any person or entity that:
- Promotes, advertises, or conducts business in Texas
- Produces a product or service used by Texas residents
- Develops or deploys an AI system in Texas
Developer and deployer are defined separately: a developer builds and provides AI systems, while a deployer uses them in operations. Both face obligations under the law — and when systems are purchased from third-party vendors, the deployer cannot defer responsibility to the developer.
One important clarification on scope: "consumer" under TRAIGA means a Texas resident acting in an individual or household context. The law does not extend to interactions in commercial or employment settings.
What the Final Law Does NOT Require of Private Companies
Compared to HB 1709, the enacted version removed:
- Mandatory algorithmic impact assessments
- Required AI risk management policies for private-sector entities
- Disclosure of AI use to job applicants or employees (except for government agencies)
Many compliance teams spent months preparing for obligations that never materialized. If your organization built an internal AI governance program around the draft bill, review it against the enacted text — some controls may now exceed what TRAIGA requires, while actual obligations under the final statute may be going unaddressed.
What TRAIGA Prohibits
The statute states that its prohibitions "shall be broadly construed." Four categories apply to all covered entities — private and public alike.
Prohibition 1: Manipulation of Human Behavior
No entity may develop or deploy an AI system intentionally designed to incite or encourage a person to physically harm themselves or others, or to engage in criminal activity. "Physical harm" could be interpreted expansively over time — courts haven't tested the boundaries yet. Document what your AI systems are designed to do and verify they cannot be repurposed for harmful ends — this paper trail matters if intent is ever disputed.
Prohibition 2: Unlawful Discrimination
TRAIGA prohibits developing or deploying AI with intent to unlawfully discriminate against a protected class under federal or state law. The statute is explicit: disparate impact alone is not sufficient to demonstrate intent.
This is a meaningful departure from the original bill. Two limited exceptions apply:
- Federally insured financial institutions that comply with applicable banking laws
- Insurance entities subject to state unfair-discrimination or unfair-practices statutes
Prohibition 3: Constitutional Rights Infringement
AI systems cannot be developed or deployed with the sole intent of infringing, restricting, or impairing rights guaranteed by the U.S. Constitution. The word "sole" does legal work here. Multiple documented purposes undercut a "sole intent" finding, so maintaining clear records of what a system is designed to accomplish is a straightforward protective measure.
Prohibition 4: Sexually Explicit and Child-Exploitative Content
TRAIGA prohibits developing or distributing AI systems intended to produce, assist in producing, or distribute child sexual abuse imagery or unlawful deepfake pornography. It also prohibits AI systems that engage in sexually explicit text conversations while impersonating a person under 18. Most enterprises won't face direct exposure here, but organizations offering consumer-facing generative AI tools — particularly those with user-generated personas or chat features — should confirm their content moderation controls specifically address these scenarios.
Disclosure Obligations Under TRAIGA
Disclosure requirements apply to two specific categories of entities — not to private employers or general commercial entities.
Government Agency Disclosure
Any governmental entity whose AI system is designed to interact with consumers must disclose this before or at the time of interaction — even when the AI use would be obvious. The disclosure must be:
- Clear and conspicuous
- Written in plain language
- Free of dark patterns designed to manipulate user behavior
Hospital districts and institutions of higher education are excluded from the definition of "governmental entity" for these purposes.
Healthcare Provider Disclosure
Providers of healthcare services must disclose to patients — or their personal representatives — that an AI system is being used in connection with their care or treatment. Unlike the government agency requirement, this disclosure can be made on the date of treatment, making it compatible with standard intake and consent forms.
Emergency care has a carve-out: disclosure must occur "as soon as reasonably possible" after the emergency.
What Private Employers Are Not Required to Do
Beyond these two categories, TRAIGA imposes no disclosure obligations on private companies. Employers are not required to disclose AI use to job applicants, employees, or general consumers. Earlier versions of the bill included this requirement; it was removed before passage.
Enforcement, Penalties, and the Cure Period
How Enforcement Works
The Texas Attorney General holds exclusive enforcement authority. There is no private right of action — individuals cannot sue companies directly. However, consumers can submit complaints through an online AG portal, which can trigger a civil investigative demand (CID).
A CID can require organizations to produce:
- Descriptions of the AI system's purpose and training data
- Details on inputs, outputs, and performance metrics
- Known limitations and post-deployment monitoring measures
Plan to produce this documentation quickly. Organizations that don't have it documented before a CID arrives will be assembling it under pressure.
Penalty Tiers
| Violation Type | Penalty Range |
|---|---|
| Curable violation | $10,000–$12,000 per violation |
| Breach of written cure statement | $10,000–$12,000 per violation |
| Uncurable violation | $80,000–$200,000 per violation |
| Continuing violation | Up to $40,000 per day |
| Licensed entity (AG recommendation) | Up to $100,000 additional |
One important caveat: TRAIGA does not define "curable" versus "uncurable" violations. Courts will develop that distinction over time. That ambiguity creates real uncertainty. Until courts establish clearer boundaries, conservative interpretation is the safer posture.
The 60-Day Cure Window
After receiving a notice of violation, organizations have 60 calendar days to cure, document the remediation, and explain what policy changes prevent recurrence. The AG can only file an enforcement action after an uncured violation.
Sixty days sounds workable. For complex AI systems, particularly those purchased from third-party vendors, it may functionally operate as a cease-and-desist. If the deployer cannot unilaterally modify the system, corrective action depends entirely on the developer's cooperation and timeline.
Safe Harbors and the Regulatory Sandbox
The Affirmative Defense
TRAIGA provides a liability defense for organizations that discover and cure potential violations through:
- Feedback from developers, deployers, or other stakeholders
- Testing procedures, including red-teaming or adversarial testing
- Following applicable state agency guidelines
- An internal review process
The catch: all of the above must occur while the organization is substantially complying with a nationally or internationally recognized AI risk management framework — specifically naming the NIST AI Risk Management Framework (including the Generative AI Profile) as an example.
Organizations that cannot point to a recognized framework at the time of a violation cannot rely on this defense. That changes the calculus on NIST AI RMF alignment from "nice to have" to "necessary for liability protection."
Also worth noting: a developer or deployer cannot be held liable for how an end user misuses an AI system.
The Regulatory Sandbox
TRAIGA creates an AI regulatory sandbox administered by the Texas Department of Information Resources (DIR). Approved participants can develop and test AI systems for up to 36 months without standard licensing requirements. Application materials must include:
- A detailed AI system description
- A benefit assessment covering privacy and public safety
- A risk mitigation plan
- Evidence of compliance with applicable federal AI law
Participants submit quarterly performance and risk reports. DIR submits annual program reports to the legislature, meaning government visibility into participant systems is built in from the start.
That said, the sandbox isn't a free pass. TRAIGA's core prohibitions still apply inside it — participation doesn't exempt anyone from the behavioral manipulation, discrimination, or CSAM prohibitions.
The Texas AI Advisory Council
Alongside the sandbox, TRAIGA establishes a seven-member advisory council appointed by the governor, lieutenant governor, and speaker of the house. Its mandate covers AI training for state agencies and non-binding reports on AI ethics, privacy, and legal risk — with no authority to issue regulations.
What Boards and Executives Should Do Before January 1, 2026
TRAIGA is not just a legal compliance problem. It is a board-level oversight question. Boards need to know which AI systems their organizations deploy, whether those systems could implicate the prohibitions, and whether management has the documentation and governance structure to defend the company's intent and practices to an AG investigator.
According to McKinsey's 2025 State of AI research, 78% of organizations used AI in at least one business function — which means most mid-to-large enterprises are almost certainly operating systems that fall within TRAIGA's broad definition.
Four concrete steps to take now:
Inventory and assess AI systems in use. Map every system against TRAIGA's definition. Evaluate whether any could implicate a prohibited use — even unintentionally. This includes vendor-provided tools.
Draft written AI policies. Document the organization's intent, permissible use cases, and governance structure. These policies serve double duty: operational guide and affirmative defense documentation.
Build an internal review process aligned to NIST AI RMF. Capture inputs, outputs, performance metrics, and stakeholder feedback systematically. This creates the documentation trail needed for cure periods and CID responses.
If you're a healthcare provider or government agency, draft disclosure language now. Don't improvise this during a patient intake form revision or system launch.
For organizations that need to move fast or lack internal AI governance expertise, working with an experienced board advisor can compress the timeline. That means aligning to NIST AI RMF, clarifying which AI decisions belong to management versus the board, and building the inspectable execution frameworks that TRAIGA's safe harbor requires.
Tyson Martin works with boards and executive teams navigating these regulatory requirements. His AI Governance Starter Pack is a structured 30-day sprint that takes organizations from no formal AI governance to a defensible posture — with a risk assessment, decision-rights map, and board-level AI policy as deliverables.
Frequently Asked Questions
What is the Texas Responsible AI Governance Act 2025?
TRAIGA (HB 149) is a Texas state law signed June 22, 2025, effective January 1, 2026. It regulates the development and deployment of AI systems by prohibiting specific harmful uses — including behavioral manipulation and unlawful discrimination — while establishing disclosure requirements for government agencies and healthcare providers, with enforcement authority vested in the Texas Attorney General.
What are the requirements for TRAIGA?
Requirements vary by entity type. All covered companies must avoid TRAIGA's four prohibited AI uses; government agencies and healthcare providers must disclose AI use to consumers or patients at the time of interaction. All covered entities should maintain documentation and AI governance policies aligned with a recognized framework like NIST AI RMF to support the affirmative defense.
Does TRAIGA apply to companies headquartered outside of Texas?
Yes. TRAIGA applies to any entity that promotes, advertises, or conducts business in Texas; produces a product or service used by Texas residents; or develops or deploys an AI system in Texas. Where you're headquartered doesn't matter; if you serve Texas consumers, you're in scope.
Is there a private right of action under TRAIGA?
No. Individuals cannot sue companies directly for TRAIGA violations. Enforcement is exclusively through the Texas Attorney General, though consumers can file complaints through an online AG portal that may trigger an investigation.
What is the regulatory sandbox under TRAIGA?
The sandbox is a program administered by the Texas Department of Information Resources that lets approved companies develop and test AI systems for up to 36 months without standard licensing requirements. Participants must submit quarterly reports on performance, risk mitigation, and consumer feedback. TRAIGA's core prohibitions still apply throughout.
How does TRAIGA's safe harbor protect companies?
Companies that discover and cure potential violations through internal review, testing (such as red-teaming), stakeholder feedback, or state agency guidelines — while substantially complying with a recognized AI risk management framework like NIST AI RMF — cannot be held liable for those violations.
