Healthcare
Specific AI-use disclosure duties applyCommon AI uses: Clinical decision support, diagnostic AI, treatment planning tools, prior authorization AI, patient-facing chatbots, EHR recommendation engines
What TRAIGA (HB 149) actually does now that it is in force — what it prohibits, who it applies to, the safe harbors and regulatory sandbox, how the Texas Attorney General enforces it, and how to build a defensible AI governance record.
What is TRAIGA?
The Texas Responsible AI Governance Act (TRAIGA) was enacted as House Bill 149, signed June 22, 2025, and took effect January 1, 2026. It is one of the first comprehensive state AI laws in the United States, and it is now in force.
The enacted law is primarily an intent-based prohibition statute. It prohibits developing or deploying AI with the intent to incite harm or crime, with the sole intent to infringe constitutional rights, to intentionally and unlawfully discriminate against a protected class, or to produce child sexual abuse material or certain unlawful deepfakes of minors. It applies to both developers and deployers of AI in Texas.
Importantly, TRAIGA does not impose a general documentation-driven governance regime on private companies. It does not require private deployers to maintain an AI inventory, run risk assessments, classify risk tiers, publish disclosures, report incidents to a regulator, or obtain executive certification. Those affirmative duties were part of an earlier draft (HB 1709) that did not become law. The affirmative disclosure duties in the enacted statute fall mainly on government entities, plus a narrower disclosure duty for healthcare providers.
Because liability is intent-based, documentation is your defense. A clear record of an AI system's purpose, testing, and oversight is the practical way to rebut an allegation of prohibited intent — and to qualify for TRAIGA's safe harbors, such as substantial compliance with the NIST AI RMF or discovering issues through internal and adversarial testing.
How TRAIGA relates to other AI regulations
Unlike the EU AI Act or the earlier Colorado model, enacted TRAIGA does not use statutory risk tiers or impose a broad risk-classification regime. It does, however, treat substantial compliance with the voluntary NIST AI RMF as a safe harbor, so the documentation you build for good governance also supports frameworks like the NIST AI RMF and ISO/IEC 42001 (both on our roadmap).
Applicability
TRAIGA applies broadly to developers and deployers of AI in Texas. Its core prohibitions turn on intent and conduct rather than on your sector, but the contexts below carry elevated practical risk or have specific duties — and they are where a documented governance record matters most.
Common AI uses: Clinical decision support, diagnostic AI, treatment planning tools, prior authorization AI, patient-facing chatbots, EHR recommendation engines
Common AI uses: Hiring screening algorithms, resume ranking tools, performance evaluation AI, workforce planning systems, promotion recommendation engines
Common AI uses: Credit scoring models, loan origination AI, fraud detection systems, insurance underwriting AI, financial eligibility tools
Common AI uses: Customer service AI making access decisions, procurement AI affecting vendors, operational AI in regulated workflows, any AI with material decision impact
Both developers and deployers fall under TRAIGA
TRAIGA reaches both the developers and the deployers of AI in Texas, so using a vendor's tool does not place you outside the statute. The good news: TRAIGA includes a safe harbor where a third party uses your AI for a prohibited purpose outside your control. To rely on it, you want a documented record of how you vet, configure, and oversee vendor AI — which is exactly the kind of governance record Risk Meridian helps you maintain.
Recommended best practices
Enacted TRAIGA does not require private deployers to run a formal governance program. These six elements are Risk Meridian's recommended best practices — the documentation that builds a defensible record and supports the statute's safe harbors.
Maintain a documented inventory of the AI systems your organization uses, especially in higher-stakes contexts.
TRAIGA does not require private deployers to maintain an AI system inventory. We recommend one anyway: a structured register that documents each system's purpose, the decisions it informs, the data it processes, the vendor (if third-party), and the human oversight in place.
An inventory is the foundation of a defensible governance record. Because TRAIGA liability is intent-based, the practical way to show your AI is not being used for a prohibited purpose is documentation — and an inventory is where that record begins.
An AI inventory is most useful when it stays current. As you deploy new AI tools — especially in fast-moving clinical, HR, and operational contexts — keeping the register updated helps you respond quickly if the Texas Attorney General ever asks questions.
How Risk Meridian covers this
AI System Registry
The AI System Registry module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about AI System RegistryDocument a structured risk review for each AI system to support your defensibility and safe-harbor posture.
TRAIGA does not mandate a documented risk assessment for private deployers, but a structured review is one of the strongest ways to build a defensible record. It evaluates the potential harms a system could cause, the affected population, and the oversight that mitigates those risks.
A structured assessment also supports TRAIGA's safe harbors. Substantial compliance with the NIST AI RMF, internal and adversarial (red-team) testing, and following applicable state-agency guidelines are recognized defenses — and each is far easier to demonstrate when your reviews are documented rather than informal.
We recommend repeating reviews on a defined schedule and whenever you make material changes to a system, its data inputs, its use case, or its deployment context. A living assessment is more persuasive evidence of good-faith governance than a one-time snapshot.
How Risk Meridian covers this
Risk Scoring Engine
The Risk Scoring Engine module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about Risk Scoring EngineImplement and track governance controls proportionate to the risk level of each AI system.
Building on the risk review, we recommend implementing governance controls proportionate to the risks you identify. For higher-risk AI — particularly systems used in healthcare, employment, credit, or housing — controls typically include human oversight, data governance procedures, and defined escalation paths.
Documenting controls, assigning them to responsible parties, and tracking completion gives you evidence that governance is actually operating — not just intended. That evidence is what helps rebut an allegation of prohibited intent under TRAIGA.
Controls are not static. As AI systems evolve and new risks emerge, updating the control set keeps your governance record current and credible. None of this is a TRAIGA mandate for private deployers — it is best practice that strengthens your position.
How Risk Meridian covers this
Control Auto-Creation & Tracking
The Control Auto-Creation & Tracking module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about Control Auto-Creation & TrackingProvide clear notice where the law requires it — and keep disclosure records as a best practice elsewhere.
Enacted TRAIGA does not impose a general public-disclosure duty on private deployers. The statute’s affirmative disclosure obligations fall mainly on government entities, plus a narrower duty for healthcare providers to disclose AI use in treatment and healthcare-service contexts.
If you are a government entity or a healthcare provider, generating clear, plain-language notices is a real obligation — not technical documentation, but accessible notice that AI is being used. Texas SB 1188 (effective September 1, 2025) adds related healthcare requirements around AI-generated records and patient notification.
For private deployers outside those contexts, maintaining consistent disclosure records is a best practice that supports transparency and a defensible governance posture, even though it is not statutorily required.
How Risk Meridian covers this
Disclosure Generator
The Disclosure Generator module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about Disclosure GeneratorLog and investigate AI incidents so you can respond quickly and demonstrate diligence.
TRAIGA does not require private deployers to report AI incidents to a regulator within a set timeframe — there is no statutory incident-reporting regime for private companies. We still recommend maintaining a structured internal log of incidents where a system caused or risked unintended harm, produced a discriminatory outcome, failed materially, or was used outside its approved scope.
A good internal log captures the affected system, the nature of the incident, a severity assessment, the investigation, and the remediation taken. Keeping this record helps you act fast and show diligence if questions arise.
Documented incident handling is part of a defensible governance record. It demonstrates that you monitor your AI and respond to problems — useful context if the Attorney General ever scrutinizes how a system was used.
How Risk Meridian covers this
Incident Log
The Incident Log module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about Incident LogDocument leadership review of your AI governance program as an accountability best practice.
TRAIGA does not require executive or board certification of an AI governance program — that was a feature of the original draft (HB 1709) that did not become law. We recommend documenting leadership review anyway, because clear accountability strengthens a governance program.
A timestamped, attributed record that leadership has reviewed the inventory, risk reviews, controls, and disclosures shows the program has organizational backing. It is a governance artifact, not a statutory attestation.
Refreshing that review on a regular cadence — for example, annually — keeps leadership engaged and keeps your governance record current. This is best practice, not a TRAIGA obligation.
How Risk Meridian covers this
Executive Certifications
The Executive Certifications module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.
Learn about Executive CertificationsCompliance checklist
These 12 items are Risk Meridian's recommended best-practice checklist for a defensible AI governance program — not items required by TRAIGA for private deployers. Use them to assess where you stand; Risk Meridian helps you cover each one.
Identify the AI systems you use, especially in higher-impact contexts
Include internal, third-party, and vendor-provided AI tools
Document each system's purpose, data inputs, and decision scope
Assign an owner and department to every registered AI system
Complete a structured risk questionnaire for each AI system
Evaluate data sensitivity, decision impact, oversight mechanisms, and clinical/healthcare factors
Assign Risk Meridian's risk classification (Low / Moderate / High) with documented rationale
Set a review cadence and next review date for each system
Implement governance controls proportionate to each system's risk level
Include human oversight, data governance, and documentation controls
Track control completion with evidence and assign completion targets
Generate clear AI disclosure statements (required for government entities and healthcare providers; recommended elsewhere)
Establish a process to provide notice to affected individuals where disclosure applies
Implement an AI incident log and internal reporting workflow
Document leadership review and sign-off on the AI governance program
Refresh on a regular cadence — for example, annually
Enforcement & penalties
TRAIGA is now in force and enforced exclusively by the Texas Attorney General, following a 60-day cure period. Penalties attach to prohibited conduct — and because liability is intent-based, a documented governance record is the practical way to show your AI wasn't used for a prohibited purpose.
Civil penalties scale with the violation: roughly $10,000–$12,000 for curable violations, $80,000–$200,000 for uncurable violations, and $2,000–$40,000 per day for continuing violations. There is no per-system or registration penalty — penalties attach to prohibited conduct.
Before penalties apply, TRAIGA gives organizations a 60-day period to cure a violation after notice. A documented, current governance record makes it far easier to identify, fix, and demonstrate the cure within that window.
TRAIGA is enforced exclusively by the Texas Attorney General — there is no private right of action, so private plaintiffs cannot sue under the statute. If the AG inquires about how a system is used, a clear governance record is the practical way to respond.
A public enforcement action can be more damaging than the direct financial penalty. Healthcare organizations in particular face patient-trust and accreditation implications, which is one more reason to keep a defensible governance record.
Step 1
Build your AI inventory
Start by documenting the AI systems you use — their purpose, the decisions they inform, vendors, and oversight. This is the foundation of a defensible record, and Risk Meridian lets most teams complete an initial inventory in a single working session.
Step 2
Document risk reviews & controls
Run a structured risk review for each system and attach proportionate governance controls. This is where you build the evidence that supports the safe harbors — NIST AI RMF alignment, internal and adversarial testing, and human oversight.
Step 3
Disclosures, sign-off & upkeep
Generate notices where disclosure applies (government and healthcare contexts), document leadership review, and keep everything current with scheduled reviews so your record stays credible over time.
Bottom line: TRAIGA took effect January 1, 2026, so the law is live today. There is no deadline to build a mandated governance program — the value of getting organized is having a defensible record ready if questions ever arise. Purpose-built software makes that fast.
Risk Meridian compliance platform
Risk Meridian is purpose-built for AI governance in Texas. Rather than a generic compliance suite you have to configure, it gives you a working governance program out of the box — focused on the documentation that makes your AI use defensible.
Teams get organized in weeks rather than months. The platform handles the documentation, the structure, and the ongoing upkeep — your team makes the governance decisions. It supports your compliance program; it does not by itself guarantee compliance with any law.
Inventory in hours, not weeks
Register AI systems with a guided form that captures the fields that matter for a defensible record. Most organizations complete their initial inventory in a single working session.
Auto-generated risk classifications
Complete the structured questionnaire and get an immediate, auditable risk classification — Risk Meridian's own Low / Moderate / High bands — with a documented rationale you can stand behind.
Controls without manual mapping
The platform's rules engine automatically suggests applicable governance controls from your risk profile. No manual control mapping, no framework interpretation — just a pre-populated control list ready to implement.
Clear disclosures in seconds
The Disclosure Generator produces plain-language disclosure statements populated from your registry data — useful for government and healthcare disclosure duties and as a transparency best practice elsewhere.
Governance Report Pack on demand
Produce a complete documentation package — inventory, risk reviews, controls, disclosures, incident log, leadership sign-off — with one click, any time you need to show your work.
Ongoing governance, not a one-time snapshot
Review scheduling, control tracking, incident logging, and a governance maturity score keep your record current — a living, tamper-evident, append-only history rather than a stale spreadsheet.
FAQ
More questions about TRAIGA compliance? Email our compliance team →
Risk Meridian is purpose-built for AI governance in Texas. Register your first AI system, run your first risk review, and generate your first disclosure statement — all in the same session. No credit card required.
Healthcare organizations — see our healthcare AI governance solution