Skip to main content
Texas Responsible AI Governance Act

TRAIGA Compliance: The Complete Guide to the Texas Responsible AI Governance Act

What TRAIGA (HB 149) actually does now that it is in force — what it prohibits, who it applies to, the safe harbors and regulatory sandbox, how the Texas Attorney General enforces it, and how to build a defensible AI governance record.

Built for Texas AI governanceBuilt for healthcareDefensible documentation

What is TRAIGA?

The Texas Responsible AI Governance Act, explained

The Texas Responsible AI Governance Act (TRAIGA) was enacted as House Bill 149, signed June 22, 2025, and took effect January 1, 2026. It is one of the first comprehensive state AI laws in the United States, and it is now in force.

The enacted law is primarily an intent-based prohibition statute. It prohibits developing or deploying AI with the intent to incite harm or crime, with the sole intent to infringe constitutional rights, to intentionally and unlawfully discriminate against a protected class, or to produce child sexual abuse material or certain unlawful deepfakes of minors. It applies to both developers and deployers of AI in Texas.

Importantly, TRAIGA does not impose a general documentation-driven governance regime on private companies. It does not require private deployers to maintain an AI inventory, run risk assessments, classify risk tiers, publish disclosures, report incidents to a regulator, or obtain executive certification. Those affirmative duties were part of an earlier draft (HB 1709) that did not become law. The affirmative disclosure duties in the enacted statute fall mainly on government entities, plus a narrower disclosure duty for healthcare providers.

Because liability is intent-based, documentation is your defense. A clear record of an AI system's purpose, testing, and oversight is the practical way to rebut an allegation of prohibited intent — and to qualify for TRAIGA's safe harbors, such as substantial compliance with the NIST AI RMF or discovering issues through internal and adversarial testing.

TRAIGA at a glance

Full name
Texas Responsible AI Governance Act
Status
Enacted as HB 149; signed June 22, 2025; effective January 1, 2026 (in force, not phased)
Type of law
Intent-based prohibitions on specific harmful AI uses — not a mandatory governance regime for private deployers
Affirmative duties
AI-use disclosure for government entities; narrower disclosure duty for healthcare providers
Who it applies to
Both developers and deployers of AI in Texas
Enforcement
Texas Attorney General only, after a 60-day cure period; no private right of action
Good news
Safe harbors (NIST AI RMF, internal/red-team testing, state guidelines), a 36-month DIR regulatory sandbox, and preemption of local AI ordinances

How TRAIGA relates to other AI regulations

Unlike the EU AI Act or the earlier Colorado model, enacted TRAIGA does not use statutory risk tiers or impose a broad risk-classification regime. It does, however, treat substantial compliance with the voluntary NIST AI RMF as a safe harbor, so the documentation you build for good governance also supports frameworks like the NIST AI RMF and ISO/IEC 42001 (both on our roadmap).

Applicability

Who must comply with TRAIGA?

TRAIGA applies broadly to developers and deployers of AI in Texas. Its core prohibitions turn on intent and conduct rather than on your sector, but the contexts below carry elevated practical risk or have specific duties — and they are where a documented governance record matters most.

Healthcare

Specific AI-use disclosure duties apply

Common AI uses: Clinical decision support, diagnostic AI, treatment planning tools, prior authorization AI, patient-facing chatbots, EHR recommendation engines

HR & Employment

Watch the discrimination prohibition

Common AI uses: Hiring screening algorithms, resume ranking tools, performance evaluation AI, workforce planning systems, promotion recommendation engines

Financial Services

Intersects with FCRA / ECOA duties

Common AI uses: Credit scoring models, loan origination AI, fraud detection systems, insurance underwriting AI, financial eligibility tools

Enterprise / General

Applies broadly across industries

Common AI uses: Customer service AI making access decisions, procurement AI affecting vendors, operational AI in regulated workflows, any AI with material decision impact

Both developers and deployers fall under TRAIGA

TRAIGA reaches both the developers and the deployers of AI in Texas, so using a vendor's tool does not place you outside the statute. The good news: TRAIGA includes a safe harbor where a third party uses your AI for a prohibited purpose outside your control. To rely on it, you want a documented record of how you vet, configure, and oversee vendor AI — which is exactly the kind of governance record Risk Meridian helps you maintain.

Recommended best practices

Risk Meridian's recommended governance program

Enacted TRAIGA does not require private deployers to run a formal governance program. These six elements are Risk Meridian's recommended best practices — the documentation that builds a defensible record and supports the statute's safe harbors.

01Recommended

AI System Inventory

Maintain a documented inventory of the AI systems your organization uses, especially in higher-stakes contexts.

TRAIGA does not require private deployers to maintain an AI system inventory. We recommend one anyway: a structured register that documents each system's purpose, the decisions it informs, the data it processes, the vendor (if third-party), and the human oversight in place.

An inventory is the foundation of a defensible governance record. Because TRAIGA liability is intent-based, the practical way to show your AI is not being used for a prohibited purpose is documentation — and an inventory is where that record begins.

An AI inventory is most useful when it stays current. As you deploy new AI tools — especially in fast-moving clinical, HR, and operational contexts — keeping the register updated helps you respond quickly if the Texas Attorney General ever asks questions.

How Risk Meridian covers this

AI System Registry

The AI System Registry module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about AI System Registry
02Recommended

Risk Assessment

Document a structured risk review for each AI system to support your defensibility and safe-harbor posture.

TRAIGA does not mandate a documented risk assessment for private deployers, but a structured review is one of the strongest ways to build a defensible record. It evaluates the potential harms a system could cause, the affected population, and the oversight that mitigates those risks.

A structured assessment also supports TRAIGA's safe harbors. Substantial compliance with the NIST AI RMF, internal and adversarial (red-team) testing, and following applicable state-agency guidelines are recognized defenses — and each is far easier to demonstrate when your reviews are documented rather than informal.

We recommend repeating reviews on a defined schedule and whenever you make material changes to a system, its data inputs, its use case, or its deployment context. A living assessment is more persuasive evidence of good-faith governance than a one-time snapshot.

How Risk Meridian covers this

Risk Scoring Engine

The Risk Scoring Engine module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about Risk Scoring Engine
03Recommended

Governance Controls

Implement and track governance controls proportionate to the risk level of each AI system.

Building on the risk review, we recommend implementing governance controls proportionate to the risks you identify. For higher-risk AI — particularly systems used in healthcare, employment, credit, or housing — controls typically include human oversight, data governance procedures, and defined escalation paths.

Documenting controls, assigning them to responsible parties, and tracking completion gives you evidence that governance is actually operating — not just intended. That evidence is what helps rebut an allegation of prohibited intent under TRAIGA.

Controls are not static. As AI systems evolve and new risks emerge, updating the control set keeps your governance record current and credible. None of this is a TRAIGA mandate for private deployers — it is best practice that strengthens your position.

How Risk Meridian covers this

Control Auto-Creation & Tracking

The Control Auto-Creation & Tracking module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about Control Auto-Creation & Tracking
04Recommended

AI Disclosures

Provide clear notice where the law requires it — and keep disclosure records as a best practice elsewhere.

Enacted TRAIGA does not impose a general public-disclosure duty on private deployers. The statute’s affirmative disclosure obligations fall mainly on government entities, plus a narrower duty for healthcare providers to disclose AI use in treatment and healthcare-service contexts.

If you are a government entity or a healthcare provider, generating clear, plain-language notices is a real obligation — not technical documentation, but accessible notice that AI is being used. Texas SB 1188 (effective September 1, 2025) adds related healthcare requirements around AI-generated records and patient notification.

For private deployers outside those contexts, maintaining consistent disclosure records is a best practice that supports transparency and a defensible governance posture, even though it is not statutorily required.

How Risk Meridian covers this

Disclosure Generator

The Disclosure Generator module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about Disclosure Generator
05Recommended

Incident Logging

Log and investigate AI incidents so you can respond quickly and demonstrate diligence.

TRAIGA does not require private deployers to report AI incidents to a regulator within a set timeframe — there is no statutory incident-reporting regime for private companies. We still recommend maintaining a structured internal log of incidents where a system caused or risked unintended harm, produced a discriminatory outcome, failed materially, or was used outside its approved scope.

A good internal log captures the affected system, the nature of the incident, a severity assessment, the investigation, and the remediation taken. Keeping this record helps you act fast and show diligence if questions arise.

Documented incident handling is part of a defensible governance record. It demonstrates that you monitor your AI and respond to problems — useful context if the Attorney General ever scrutinizes how a system was used.

How Risk Meridian covers this

Incident Log

The Incident Log module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about Incident Log
06Recommended

Leadership Sign-Off

Document leadership review of your AI governance program as an accountability best practice.

TRAIGA does not require executive or board certification of an AI governance program — that was a feature of the original draft (HB 1709) that did not become law. We recommend documenting leadership review anyway, because clear accountability strengthens a governance program.

A timestamped, attributed record that leadership has reviewed the inventory, risk reviews, controls, and disclosures shows the program has organizational backing. It is a governance artifact, not a statutory attestation.

Refreshing that review on a regular cadence — for example, annually — keeps leadership engaged and keeps your governance record current. This is best practice, not a TRAIGA obligation.

How Risk Meridian covers this

Executive Certifications

The Executive Certifications module helps you document this practice and keep the record current — generated from your governance data, with no manual writing required.

Learn about Executive Certifications

Compliance checklist

Recommended AI governance checklist — 12 items

These 12 items are Risk Meridian's recommended best-practice checklist for a defensible AI governance program — not items required by TRAIGA for private deployers. Use them to assess where you stand; Risk Meridian helps you cover each one.

Inventory3 items
  • Identify the AI systems you use, especially in higher-impact contexts

    Include internal, third-party, and vendor-provided AI tools

    Platform covered
  • Document each system's purpose, data inputs, and decision scope

    Platform covered
  • Assign an owner and department to every registered AI system

    Platform covered
Risk Assessment3 items
  • Complete a structured risk questionnaire for each AI system

    Evaluate data sensitivity, decision impact, oversight mechanisms, and clinical/healthcare factors

    Platform covered
  • Assign Risk Meridian's risk classification (Low / Moderate / High) with documented rationale

    Platform covered
  • Set a review cadence and next review date for each system

    Platform covered
Controls2 items
  • Implement governance controls proportionate to each system's risk level

    Include human oversight, data governance, and documentation controls

    Platform covered
  • Track control completion with evidence and assign completion targets

    Platform covered
Disclosures2 items
  • Generate clear AI disclosure statements (required for government entities and healthcare providers; recommended elsewhere)

    Platform covered
  • Establish a process to provide notice to affected individuals where disclosure applies

    Platform covered
Incidents1 item
  • Implement an AI incident log and internal reporting workflow

    Platform covered
Leadership Sign-Off1 item
  • Document leadership review and sign-off on the AI governance program

    Refresh on a regular cadence — for example, annually

    Platform covered

Enforcement & penalties

How TRAIGA is enforced

TRAIGA is now in force and enforced exclusively by the Texas Attorney General, following a 60-day cure period. Penalties attach to prohibited conduct — and because liability is intent-based, a documented governance record is the practical way to show your AI wasn't used for a prohibited purpose.

Tiered civil penalties

Civil penalties scale with the violation: roughly $10,000–$12,000 for curable violations, $80,000–$200,000 for uncurable violations, and $2,000–$40,000 per day for continuing violations. There is no per-system or registration penalty — penalties attach to prohibited conduct.

60-day cure period

Before penalties apply, TRAIGA gives organizations a 60-day period to cure a violation after notice. A documented, current governance record makes it far easier to identify, fix, and demonstrate the cure within that window.

Attorney General enforcement only

TRAIGA is enforced exclusively by the Texas Attorney General — there is no private right of action, so private plaintiffs cannot sue under the statute. If the AG inquires about how a system is used, a clear governance record is the practical way to respond.

Reputational and operational risk

A public enforcement action can be more damaging than the direct financial penalty. Healthcare organizations in particular face patient-trust and accreditation implications, which is one more reason to keep a defensible governance record.

TRAIGA is in force — a typical path to getting organized

Step 1

Build your AI inventory

Start by documenting the AI systems you use — their purpose, the decisions they inform, vendors, and oversight. This is the foundation of a defensible record, and Risk Meridian lets most teams complete an initial inventory in a single working session.

Step 2

Document risk reviews & controls

Run a structured risk review for each system and attach proportionate governance controls. This is where you build the evidence that supports the safe harbors — NIST AI RMF alignment, internal and adversarial testing, and human oversight.

Step 3

Disclosures, sign-off & upkeep

Generate notices where disclosure applies (government and healthcare contexts), document leadership review, and keep everything current with scheduled reviews so your record stays credible over time.

Bottom line: TRAIGA took effect January 1, 2026, so the law is live today. There is no deadline to build a mandated governance program — the value of getting organized is having a defensible record ready if questions ever arise. Purpose-built software makes that fast.

Risk Meridian compliance platform

How Risk Meridian helps you build a defensible record

Risk Meridian is purpose-built for AI governance in Texas. Rather than a generic compliance suite you have to configure, it gives you a working governance program out of the box — focused on the documentation that makes your AI use defensible.

Teams get organized in weeks rather than months. The platform handles the documentation, the structure, and the ongoing upkeep — your team makes the governance decisions. It supports your compliance program; it does not by itself guarantee compliance with any law.

Inventory in hours, not weeks

Register AI systems with a guided form that captures the fields that matter for a defensible record. Most organizations complete their initial inventory in a single working session.

Auto-generated risk classifications

Complete the structured questionnaire and get an immediate, auditable risk classification — Risk Meridian's own Low / Moderate / High bands — with a documented rationale you can stand behind.

Controls without manual mapping

The platform's rules engine automatically suggests applicable governance controls from your risk profile. No manual control mapping, no framework interpretation — just a pre-populated control list ready to implement.

Clear disclosures in seconds

The Disclosure Generator produces plain-language disclosure statements populated from your registry data — useful for government and healthcare disclosure duties and as a transparency best practice elsewhere.

Governance Report Pack on demand

Produce a complete documentation package — inventory, risk reviews, controls, disclosures, incident log, leadership sign-off — with one click, any time you need to show your work.

Ongoing governance, not a one-time snapshot

Review scheduling, control tracking, incident logging, and a governance maturity score keep your record current — a living, tamper-evident, append-only history rather than a stale spreadsheet.

FAQ

TRAIGA compliance questions answered

What is the Texas Responsible AI Governance Act (TRAIGA)?
TRAIGA, enacted as House Bill 149, is a Texas law that took effect January 1, 2026. It is primarily an intent-based prohibition statute: it prohibits developing or deploying AI with the intent to incite a person to self-harm, harm others, or commit a crime; with the sole intent to infringe constitutional rights; to intentionally and unlawfully discriminate against a protected class; or to produce child sexual abuse material or certain unlawful deepfakes of minors. It also imposes AI-use disclosure duties on government entities and, in a narrower form, on healthcare providers. It does not impose a general inventory, risk-assessment, public-disclosure, incident-reporting, or executive-certification regime on private companies — those were features of an earlier draft that did not become law.
Which organizations does TRAIGA apply to?
TRAIGA applies broadly to those who develop or deploy AI systems in Texas, covering both developers and deployers. Its prohibitions turn on intent and conduct rather than on the sector you operate in, so any organization using AI in Texas should understand what the statute forbids. Government entities have specific AI-use disclosure duties, and healthcare providers have a narrower disclosure duty. There is no registration requirement and no obligation to inventory or classify your systems under the statute itself.
What does TRAIGA actually prohibit?
TRAIGA prohibits specific intentional, harmful uses of AI: developing or deploying a system with the intent to incite or encourage a person to harm themselves, harm another person, or commit a crime; with the sole intent to infringe, restrict, or otherwise impair constitutional rights; to intentionally and unlawfully discriminate against a protected class; or to produce child sexual abuse material or certain unlawful sexual deepfakes of minors. Because liability is intent-based, a documented record of your AI’s purpose, testing, and oversight is the practical way to show you did not have a prohibited intent.
Does TRAIGA offer any safe harbors?
Yes. TRAIGA recognizes several defenses that reward good-faith governance. These include substantial compliance with a recognized AI risk-management framework such as the NIST AI RMF; discovering a violation through internal testing, including adversarial or red-team testing; complying with guidelines issued by state agencies; and situations where a third party used the AI for a prohibited purpose outside your control. TRAIGA also created a 36-month regulatory sandbox administered by the Texas Department of Information Resources (DIR) for testing AI under regulatory supervision, and it preempts conflicting local AI ordinances, which simplifies the Texas picture.
When does TRAIGA take effect?
TRAIGA (HB 149) was signed into law on June 22, 2025, and took effect January 1, 2026. It is now in force. Unlike the EU AI Act, TRAIGA is not phased in over multiple dates — its provisions apply as of the January 1, 2026 effective date.
What are the penalties for violating TRAIGA?
TRAIGA is enforced exclusively by the Texas Attorney General, following a 60-day cure period during which an organization can fix a violation. Civil penalties are tiered: roughly $10,000 to $12,000 for curable violations, $80,000 to $200,000 for uncurable violations, and $2,000 to $40,000 per day for continuing violations. There is no private right of action — private plaintiffs cannot sue under TRAIGA — and there is no per-system or registration penalty. Penalties attach to prohibited conduct, not to having an un-inventoried or unregistered system.
Does TRAIGA apply to healthcare AI specifically?
Healthcare is where TRAIGA imposes one of its few affirmative duties on private organizations: healthcare providers must disclose the use of AI in treatment and healthcare-service contexts. Separately, Texas SB 1188 (effective September 1, 2025) requires provider review of AI-generated records consistent with Texas Medical Board standards, places limits on offshoring electronic medical records, and adds patient-notification rules. These are real, specific obligations — distinct from the broad governance regime that did not become law. Risk Meridian includes healthcare-specific fields, clinical AI risk factors, and reporting designed to help healthcare organizations document AI use and support these duties.
Can a spreadsheet or manual process work for AI governance?
There is no statutory requirement to use dedicated software. The case for a purpose-built tool is practical, not legal: because TRAIGA liability is intent-based, your defense is a current, credible record of how your AI is used, tested, and overseen. Spreadsheets go stale, are easy to edit without attribution, and make it hard to show when and by whom a record changed. Risk Meridian keeps a tamper-evident, append-only audit log with timestamped, attributed records, and it keeps your inventory, risk reviews, controls, and disclosures organized so you can respond quickly if the Attorney General ever asks. That supports your governance program and helps you use the statute’s safe harbors — it does not by itself guarantee compliance.

More questions about TRAIGA compliance? Email our compliance team →

Start building your AI governance record

Risk Meridian is purpose-built for AI governance in Texas. Register your first AI system, run your first risk review, and generate your first disclosure statement — all in the same session. No credit card required.

Healthcare organizations — see our healthcare AI governance solution