Skip to main content
ActiveTexas, USA

Texas Responsible AI Governance Act (TRAIGA) Compliance Guide

Everything your organization needs to understand about TRAIGA — who must comply, what the law actually prohibits and requires, and how to build a defensible AI governance program.

Overview

The Texas Responsible AI Governance Act (TRAIGA, HB 149) is one of the first comprehensive state AI laws in the United States. Enacted by the Texas Legislature and effective January 1, 2026, TRAIGA is an intent-based statute: it prohibits specific harmful uses of AI, imposes targeted disclosure duties on government entities and healthcare providers, and is enforced exclusively by the Texas Attorney General. It does not impose a general inventory, risk-assessment, controls, public-disclosure, or board-reporting mandate on private deployers — those features belonged to an earlier draft (HB 1709) that did not become law.

Who must comply?

TRAIGA's prohibitions apply broadly to persons who develop or deploy AI systems in connection with conducting business in Texas, or whose AI products or services are used by Texas residents — across healthcare, financial services, hiring, insurance, government, and other sectors. Its affirmative disclosure duties are narrower: government entities must disclose AI interactions to consumers, and healthcare providers must disclose AI use in patient care. Private organizations are not subject to a general TRAIGA obligation to inventory systems, run risk assessments, or publish decision disclosures.

Quick Facts

Framework
Texas Responsible AI Governance Act
Jurisdiction
Texas, USA
Status
Active
Penalties
TRAIGA is enforced exclusively by the Texas Attorney General, following a 60-day cure period. Civil penalties range from roughly $10,000-$12,000 (curable violations) to $80,000-$200,000 (uncurable violations), with continuing violations at $2,000-$40,000 per day. There is no private right of action.

Get compliant with Risk Meridian

Start now — first AI system inventoried in under 10 minutes. No credit card required.

Get Started

Key obligations under Texas TRAIGA

What your organization must actually do to comply — broken down by obligation category.

Prohibited: Manipulation & Harm

TRAIGA prohibits developing or deploying an AI system with the intent to incite or encourage a person to commit physical self-harm, harm another person, or engage in criminal activity. This is an intent-based prohibition — not a documentation mandate.

Prohibited: Rights & Discrimination

TRAIGA prohibits deploying an AI system with the sole intent of infringing a person's constitutional rights, and prohibits using AI to intentionally and unlawfully discriminate against a protected class. Disparate impact alone does not establish the required intent.

Prohibited: Unlawful Deepfakes

TRAIGA prohibits developing or distributing AI systems to produce child sexual abuse material (CSAM) or unlawful deepfake imagery of minors and certain non-consensual explicit content. These are flat prohibitions backed by Attorney General enforcement.

Government-Entity Disclosure

Government entities must clearly disclose to consumers when they are interacting with an AI system, before or at the time of the interaction. This affirmative disclosure duty falls on government entities — not on private deployers as a general matter.

Healthcare-Provider Disclosure

Healthcare providers must disclose to patients when AI is used in their care or treatment, no later than the time of the AI-driven service (or as soon as reasonably possible in an emergency). This is the narrow, real disclosure duty most relevant to clinical settings.

Safe Harbors & DIR Sandbox

TRAIGA provides affirmative defenses and safe harbors — including substantial compliance with the NIST AI RMF, internal and adversarial/red-team testing, following state-agency guidelines, and a third-party misuse defense. It also creates a 36-month DIR regulatory sandbox for supervised AI testing.

What is the Texas Responsible AI Governance Act?

TRAIGA (HB 149) is Texas's AI law, signed June 22, 2025 and effective January 1, 2026. Rather than the inventory-and-assessment model of the original draft bill (HB 1709), the enacted law is intent-based: it prohibits specific harmful uses of AI, imposes disclosure duties on government entities and healthcare providers, and is enforced exclusively by the Texas Attorney General. The Texas Legislature deliberately moved away from the EU AI Act / Colorado / NIST-style mandatory governance regime that earlier drafts contained.

TRAIGA does not define statutory risk tiers

Enacted TRAIGA does not classify AI into Critical / High / Moderate / Low statutory risk tiers — that tiered model came from the EU AI Act and Colorado-style approaches, not Texas law. Risk Meridian applies its own risk classification (Low / Moderate / High) as a product methodology to help you prioritize testing, oversight, and documentation. It is a way to organize your governance work, not a legal classification mandated by TRAIGA.

TRAIGA disclosure duties

TRAIGA's affirmative disclosure duties are targeted, not general. Government entities must tell consumers when they are interacting with an AI system. Healthcare providers must disclose to patients when AI is used in their care or treatment. Private deployers are not subject to a general TRAIGA mandate to publish plain-language notices for every AI-influenced decision. Risk Meridian can help government entities and healthcare providers generate and maintain these disclosures, and helps other organizations document AI use as a matter of best practice.

TRAIGA penalties and enforcement

TRAIGA is enforced exclusively by the Texas Attorney General, following a 60-day cure period. Civil penalties range from roughly $10,000-$12,000 for curable violations to $80,000-$200,000 for uncurable violations, with continuing violations at $2,000-$40,000 per day. There is no private right of action — individuals cannot sue under TRAIGA, and TRAIGA non-compliance is not a statutory basis for private litigation. TRAIGA also preempts conflicting local AI ordinances, simplifying the Texas regulatory picture.

How Risk Meridian helps

Meet Texas TRAIGA requirements with Risk Meridian

Because TRAIGA liability is intent-based, documentation is your defense. Risk Meridian helps you build and maintain a record of each AI system's purpose, testing, and human oversight — exactly the kind of evidence that helps rebut an allegation of prohibited intent and supports the statutory safe harbors (such as substantial compliance with the NIST AI RMF and documented adversarial/red-team testing). It also helps government entities and healthcare providers generate the disclosures TRAIGA requires of them.

What Risk Meridian covers for Texas TRAIGA

  • Prohibited: Manipulation & Harm

  • Prohibited: Rights & Discrimination

  • Prohibited: Unlawful Deepfakes

  • Government-Entity Disclosure

  • Healthcare-Provider Disclosure

  • Safe Harbors & DIR Sandbox

Texas TRAIGA — frequently asked questions

Common questions from compliance officers, legal teams, and executives evaluating Texas TRAIGA compliance obligations.

When does TRAIGA take effect?
TRAIGA (HB 149) was signed on June 22, 2025 and took effect on January 1, 2026, so it is now in force. Unlike the EU AI Act, TRAIGA is not phased — its prohibitions and disclosure duties applied as of the effective date. Consult your legal counsel about how specific provisions apply to your organization.
Does TRAIGA apply to nonprofit organizations?
TRAIGA's prohibitions are not limited to for-profit entities — they apply broadly to persons who develop or deploy AI in connection with business in Texas or products and services used by Texas residents. Nonprofits, government agencies, educational institutions, and for-profit companies alike are barred from the intentional harmful uses TRAIGA prohibits. Government entities and healthcare providers also carry the specific disclosure duties described above.
Does TRAIGA apply to AI embedded in software we purchase?
TRAIGA applies to both developers and deployers of AI systems, so responsibility is not placed solely on the deploying organization or solely on the vendor. Importantly, TRAIGA includes a safe harbor: a party generally is not liable for another party's misuse of an AI system, and you may raise an affirmative defense where a third party — not you — is responsible for the prohibited use. Documenting how you procured, configured, and used embedded AI helps you rely on that defense.
Does TRAIGA regulate every 'consequential decision' made with AI?
No. The broad 'consequential decision' framework — covering any decision that materially affects access to services, employment, housing, credit, and the like — came from the original draft bill (HB 1709), which did not become law. Enacted TRAIGA does not impose inventory, risk-assessment, or disclosure obligations on private deployers for every consequential decision. Instead it prohibits specific intentional harmful uses of AI and imposes disclosure duties on government entities and healthcare providers.
How does TRAIGA relate to the EU AI Act?
They take very different approaches. The EU AI Act is a comprehensive, risk-tiered regime with extensive documentation and conformity obligations for high-risk AI. Enacted TRAIGA is narrower and intent-based — it prohibits specific harmful uses and imposes targeted disclosure duties, without the EU's mandatory risk-classification and documentation regime. Organizations operating in both jurisdictions face distinct obligations; Risk Meridian helps you maintain one governance record you can draw on for each.
What documentation should I keep to demonstrate good-faith TRAIGA compliance?
TRAIGA does not create a statutory 'audit' or document-production regime for private companies. But because liability turns on intent and the law offers safe harbors, it is wise to keep evidence you can point to if questions arise: a record of each AI system's intended purpose, documentation of internal or adversarial/red-team testing, evidence of substantial compliance with the NIST AI RMF, and records of human oversight. Risk Meridian maintains this kind of documentation in a tamper-evident, append-only audit log.

Start your Texas TRAIGA compliance program today

Risk Meridian handles Texas TRAIGA compliance documentation — plus every other major AI regulation — from a single platform. Start now, first AI system inventoried in under 10 minutes.

Covers 6 AI frameworks simultaneously

Document once — reuse across multiple frameworks

Board governance reports in minutes