Texas Responsible AI Governance Act (TRAIGA) Compliance Guide
Everything your organization needs to understand about TRAIGA — who must comply, what the law actually prohibits and requires, and how to build a defensible AI governance program.
Overview
The Texas Responsible AI Governance Act (TRAIGA, HB 149) is one of the first comprehensive state AI laws in the United States. Enacted by the Texas Legislature and effective January 1, 2026, TRAIGA is an intent-based statute: it prohibits specific harmful uses of AI, imposes targeted disclosure duties on government entities and healthcare providers, and is enforced exclusively by the Texas Attorney General. It does not impose a general inventory, risk-assessment, controls, public-disclosure, or board-reporting mandate on private deployers — those features belonged to an earlier draft (HB 1709) that did not become law.
Who must comply?
TRAIGA's prohibitions apply broadly to persons who develop or deploy AI systems in connection with conducting business in Texas, or whose AI products or services are used by Texas residents — across healthcare, financial services, hiring, insurance, government, and other sectors. Its affirmative disclosure duties are narrower: government entities must disclose AI interactions to consumers, and healthcare providers must disclose AI use in patient care. Private organizations are not subject to a general TRAIGA obligation to inventory systems, run risk assessments, or publish decision disclosures.
Quick Facts
- Framework
- Texas Responsible AI Governance Act
- Jurisdiction
- Texas, USA
- Status
- Active
- Penalties
- TRAIGA is enforced exclusively by the Texas Attorney General, following a 60-day cure period. Civil penalties range from roughly $10,000-$12,000 (curable violations) to $80,000-$200,000 (uncurable violations), with continuing violations at $2,000-$40,000 per day. There is no private right of action.
Get compliant with Risk Meridian
Start now — first AI system inventoried in under 10 minutes. No credit card required.
Get StartedRelated Resources
TRAIGA Compliance Overview →
Our comprehensive TRAIGA guide with guidance, a best-practice checklist, and FAQ.
AI Governance Software →
How Risk Meridian helps you build a defensible TRAIGA governance record.
Healthcare AI Governance →
TRAIGA compliance for hospitals and health systems.
AI Risk Register →
Build a defensible AI risk register to support good-faith TRAIGA compliance.
Key obligations under Texas TRAIGA
What your organization must actually do to comply — broken down by obligation category.
Prohibited: Manipulation & Harm
TRAIGA prohibits developing or deploying an AI system with the intent to incite or encourage a person to commit physical self-harm, harm another person, or engage in criminal activity. This is an intent-based prohibition — not a documentation mandate.
Prohibited: Rights & Discrimination
TRAIGA prohibits deploying an AI system with the sole intent of infringing a person's constitutional rights, and prohibits using AI to intentionally and unlawfully discriminate against a protected class. Disparate impact alone does not establish the required intent.
Prohibited: Unlawful Deepfakes
TRAIGA prohibits developing or distributing AI systems to produce child sexual abuse material (CSAM) or unlawful deepfake imagery of minors and certain non-consensual explicit content. These are flat prohibitions backed by Attorney General enforcement.
Government-Entity Disclosure
Government entities must clearly disclose to consumers when they are interacting with an AI system, before or at the time of the interaction. This affirmative disclosure duty falls on government entities — not on private deployers as a general matter.
Healthcare-Provider Disclosure
Healthcare providers must disclose to patients when AI is used in their care or treatment, no later than the time of the AI-driven service (or as soon as reasonably possible in an emergency). This is the narrow, real disclosure duty most relevant to clinical settings.
Safe Harbors & DIR Sandbox
TRAIGA provides affirmative defenses and safe harbors — including substantial compliance with the NIST AI RMF, internal and adversarial/red-team testing, following state-agency guidelines, and a third-party misuse defense. It also creates a 36-month DIR regulatory sandbox for supervised AI testing.
What is the Texas Responsible AI Governance Act?
TRAIGA (HB 149) is Texas's AI law, signed June 22, 2025 and effective January 1, 2026. Rather than the inventory-and-assessment model of the original draft bill (HB 1709), the enacted law is intent-based: it prohibits specific harmful uses of AI, imposes disclosure duties on government entities and healthcare providers, and is enforced exclusively by the Texas Attorney General. The Texas Legislature deliberately moved away from the EU AI Act / Colorado / NIST-style mandatory governance regime that earlier drafts contained.
TRAIGA does not define statutory risk tiers
Enacted TRAIGA does not classify AI into Critical / High / Moderate / Low statutory risk tiers — that tiered model came from the EU AI Act and Colorado-style approaches, not Texas law. Risk Meridian applies its own risk classification (Low / Moderate / High) as a product methodology to help you prioritize testing, oversight, and documentation. It is a way to organize your governance work, not a legal classification mandated by TRAIGA.
TRAIGA disclosure duties
TRAIGA's affirmative disclosure duties are targeted, not general. Government entities must tell consumers when they are interacting with an AI system. Healthcare providers must disclose to patients when AI is used in their care or treatment. Private deployers are not subject to a general TRAIGA mandate to publish plain-language notices for every AI-influenced decision. Risk Meridian can help government entities and healthcare providers generate and maintain these disclosures, and helps other organizations document AI use as a matter of best practice.
TRAIGA penalties and enforcement
TRAIGA is enforced exclusively by the Texas Attorney General, following a 60-day cure period. Civil penalties range from roughly $10,000-$12,000 for curable violations to $80,000-$200,000 for uncurable violations, with continuing violations at $2,000-$40,000 per day. There is no private right of action — individuals cannot sue under TRAIGA, and TRAIGA non-compliance is not a statutory basis for private litigation. TRAIGA also preempts conflicting local AI ordinances, simplifying the Texas regulatory picture.
Meet Texas TRAIGA requirements with Risk Meridian
Because TRAIGA liability is intent-based, documentation is your defense. Risk Meridian helps you build and maintain a record of each AI system's purpose, testing, and human oversight — exactly the kind of evidence that helps rebut an allegation of prohibited intent and supports the statutory safe harbors (such as substantial compliance with the NIST AI RMF and documented adversarial/red-team testing). It also helps government entities and healthcare providers generate the disclosures TRAIGA requires of them.
What Risk Meridian covers for Texas TRAIGA
Prohibited: Manipulation & Harm
Prohibited: Rights & Discrimination
Prohibited: Unlawful Deepfakes
Government-Entity Disclosure
Healthcare-Provider Disclosure
Safe Harbors & DIR Sandbox
Texas TRAIGA — frequently asked questions
Common questions from compliance officers, legal teams, and executives evaluating Texas TRAIGA compliance obligations.
- When does TRAIGA take effect?
- TRAIGA (HB 149) was signed on June 22, 2025 and took effect on January 1, 2026, so it is now in force. Unlike the EU AI Act, TRAIGA is not phased — its prohibitions and disclosure duties applied as of the effective date. Consult your legal counsel about how specific provisions apply to your organization.
- Does TRAIGA apply to nonprofit organizations?
- TRAIGA's prohibitions are not limited to for-profit entities — they apply broadly to persons who develop or deploy AI in connection with business in Texas or products and services used by Texas residents. Nonprofits, government agencies, educational institutions, and for-profit companies alike are barred from the intentional harmful uses TRAIGA prohibits. Government entities and healthcare providers also carry the specific disclosure duties described above.
- Does TRAIGA apply to AI embedded in software we purchase?
- TRAIGA applies to both developers and deployers of AI systems, so responsibility is not placed solely on the deploying organization or solely on the vendor. Importantly, TRAIGA includes a safe harbor: a party generally is not liable for another party's misuse of an AI system, and you may raise an affirmative defense where a third party — not you — is responsible for the prohibited use. Documenting how you procured, configured, and used embedded AI helps you rely on that defense.
- Does TRAIGA regulate every 'consequential decision' made with AI?
- No. The broad 'consequential decision' framework — covering any decision that materially affects access to services, employment, housing, credit, and the like — came from the original draft bill (HB 1709), which did not become law. Enacted TRAIGA does not impose inventory, risk-assessment, or disclosure obligations on private deployers for every consequential decision. Instead it prohibits specific intentional harmful uses of AI and imposes disclosure duties on government entities and healthcare providers.
- How does TRAIGA relate to the EU AI Act?
- They take very different approaches. The EU AI Act is a comprehensive, risk-tiered regime with extensive documentation and conformity obligations for high-risk AI. Enacted TRAIGA is narrower and intent-based — it prohibits specific harmful uses and imposes targeted disclosure duties, without the EU's mandatory risk-classification and documentation regime. Organizations operating in both jurisdictions face distinct obligations; Risk Meridian helps you maintain one governance record you can draw on for each.
- What documentation should I keep to demonstrate good-faith TRAIGA compliance?
- TRAIGA does not create a statutory 'audit' or document-production regime for private companies. But because liability turns on intent and the law offers safe harbors, it is wise to keep evidence you can point to if questions arise: a record of each AI system's intended purpose, documentation of internal or adversarial/red-team testing, evidence of substantial compliance with the NIST AI RMF, and records of human oversight. Risk Meridian maintains this kind of documentation in a tamper-evident, append-only audit log.
Start your Texas TRAIGA compliance program today
Risk Meridian handles Texas TRAIGA compliance documentation — plus every other major AI regulation — from a single platform. Start now, first AI system inventoried in under 10 minutes.
Covers 6 AI frameworks simultaneously
Document once — reuse across multiple frameworks
Board governance reports in minutes