The Texas Responsible AI Governance Act (TRAIGA), in force January 1, 2026, is an intent-based law: it prohibits specific harmful uses of AI and is enforced exclusively by the Texas Attorney General. It does not impose a general inventory-and-disclosure mandate on private companies. This guide covers who it applies to, what it actually prohibits, how it is enforced, and how a documented governance program keeps you defensible.
Who must comply with TRAIGA
TRAIGA applies to deployers — organizations that use AI systems developed by others — and developers — organizations that build AI systems for deployment by others. The obligations differ between these two roles, but both are covered.
Unlike the earlier draft of the bill (HB 1709), the enacted law does not turn on a revenue threshold or a “consequential decision” test. In practice, TRAIGA is most relevant when:
- You develop or deploy an AI system that is used in Texas
- That AI could be put to one of the purposes the statute prohibits (see below)
- You are a government entity or healthcare provider with a specific disclosure duty
Geographic headquarters does not matter. A company based in California, New York, or outside the United States can be subject to TRAIGA if its AI is used in Texas. This broad reach is one of the most commonly misunderstood aspects of the law.
What TRAIGA actually prohibits
Rather than a documentation regime, the enacted law targets specific intentional uses of AI. TRAIGA prohibits developing or deploying an AI system with the intent to:
- Incite or encourage a person to harm themselves or others, or to commit a crime
- Infringe, restrict, or otherwise impair constitutional rights
- Unlawfully discriminate against a protected class
- Produce child sexual abuse material or unlawful deepfake intimate imagery
Because the prohibitions turn on intent, an unintended disparate-impact outcome is not, by itself, a TRAIGA violation — but documented purpose, testing, and oversight are how you show you did not act with prohibited intent. (Discriminatory outcomes can still carry exposure under other employment and civil-rights laws.)
Building a defensible program (best practice, not a TRAIGA mandate)
Enacted TRAIGA does not require private deployers to maintain an inventory, run risk assessments, publish disclosures, report incidents, or obtain executive certification. But because liability is intent-based, a documented governance record is your best evidence that you did not act with prohibited intent — and it helps you qualify for TRAIGA's safe harbors, such as substantial compliance with the NIST AI RMF. The practices below are recommended on that basis.
1. AI System Inventory
Maintaining a documented inventory of the AI systems you use is the foundation of a defensible program. A useful inventory includes, at minimum: the system's purpose, its vendor (if third-party), the types of decisions it influences, the data it processes, the risk classification, and the oversight mechanisms in place.
To be useful, the inventory must be current. An inventory that accurately described your AI portfolio six months ago but has not been updated to reflect new systems, vendors, or use cases leaves you without a record to rely on.
2. Risk Assessment
Evaluating each system through a structured risk assessment helps you spot where prohibited-use or discrimination risk could arise. A useful assessment produces a risk classification — Risk Meridian uses LOW, MODERATE, HIGH, or CRITICAL — with a documented rationale traceable to specific evaluation criteria. Subjective classifications without documented support are hard to defend later.
3. Governance Controls
Based on the risk assessment, organizations should implement governance controls proportionate to the identified risk level. Higher-risk systems warrant more extensive controls: human oversight mechanisms, bias monitoring, incident response procedures, and regular review cycles.
4. AI Disclosures
TRAIGA's affirmative disclosure duties fall on government entities and healthcare providers. For those actors, disclosing that AI is in use is required; for everyone else, proactive disclosure is a best practice rather than a TRAIGA mandate. A good disclosure tells a person that an AI system was used, its general purpose, and how to request human review, in plain language that reflects the current state of the system.
5. Incident Management
Maintaining a process for identifying, logging, investigating, and resolving AI incidents — situations where an AI system produced an erroneous, biased, or harmful output — is good practice. TRAIGA does not require you to report incidents to a regulator; external reporting applies only where another law or contract requires it.
6. Executive Sign-Off
TRAIGA does not require executive attestation — that was a feature of the earlier draft. As a matter of governance, many organizations still adopt a documented executive sign-off that the program has been reviewed. When used, the certifying executive should have actually reviewed the inventory, risk assessments, controls, and disclosures before signing; it creates accountability and strengthens your record.
Enforcement timeline and penalties
| Phase | Date | What happens |
|---|---|---|
| TRAIGA in force | Now | Effective January 1, 2026. The statute's prohibitions are active. |
| AG enforcement | Ongoing | The Texas Attorney General — the only entity that can enforce TRAIGA — can investigate and bring actions after a 60-day notice-and-cure period. There is no private right of action. |
| Civil penalties | Tiered | Roughly $10,000–$12,000 for curable violations and $80,000–$200,000 for uncurable ones, plus $2,000–$40,000 per day for continuing violations. |
There is no private right of action under TRAIGA — enforcement is exclusively through the AG's office. However, TRAIGA violations can also create exposure under related state and federal statutes that do allow private suits.
A recommended AI-governance checklist (best practice)
AI system inventory is documented and current
Every inventoried system has a completed risk assessment with documented rationale
Risk classifications are deterministic and auditable
Governance controls are implemented (not just documented) for each system
Controls are proportionate to the risk level of each system
Disclosure statements are generated where they apply (e.g., government or healthcare AI use)
Disclosures are proactively provided (not just available on request)
AI incident management process is defined and operational
Incident response has defined severity levels and escalation paths
Executive certification has been completed and documented
Review schedule is established for periodic re-assessment
How to build your governance program fast
The fastest path to a defensible governance program follows a specific sequence. Do not start with policies or certifications — start with your inventory. You cannot assess, control, or disclose systems you have not identified.
- Scope assessment (Week 1): Identify every AI system in use and determine which ones are in scope for TRAIGA. Cast wide — it is better to over-include initially and narrow down than to miss a covered system.
- Inventory (Weeks 1–2): Record every in-scope system in a structured inventory with the key fields. Purpose-built software does this in hours; spreadsheets take weeks and create ongoing maintenance debt.
- Risk assessments (Weeks 2–4): Complete a structured questionnaire-based risk assessment for each system. The questionnaire should produce an auditable classification — anyone reviewing it can verify the classification from the documented answers.
- Controls and disclosures (Weeks 3–6): Implement controls, generate disclosure statements where they apply, and establish review schedules. This is where automation provides the most leverage.
- Executive sign-off (Week 6+): Once the program is operational, consider documenting an executive sign-off. Do not sign off before the underlying program is actually in place.
The cost of waiting
Because TRAIGA liability turns on intent, your defense is a documented record showing your AI's purpose, testing, and oversight — and that record is also what qualifies you for the statute's safe harbors. The AG's enforcement authority is active, and building that record before you face an inquiry is far easier than reconstructing it after.
A solid AI governance program takes 4–6 weeks with purpose-built software. Getting organized now also positions you for genuine obligations under the EU AI Act and other emerging frameworks.