Texas TRAIGA Compliance Checklist 2026, Responsible AI Governance Act
Texas TRAIGA (the Responsible AI Governance Act, signed June 22, 2025) took effect January 1, 2026. It applies to every developer and deployer of AI systems used by Texas residents, regardless of where your company is based.
TRAIGA at a glance:
| Element | Details |
|---|---|
| Effective date | January 1, 2026 |
| Who it covers | Any entity developing or deploying AI used by Texas residents |
| Private sector obligations | Prohibited uses only (with intent standard), no documentation, assessment, or notice mandates |
| Government entity obligations | AI disclosure to users; social scoring ban; constitutional rights protection |
| Liability standard | Intent-based, must prove intentional misconduct |
| Safe harbor | Substantial NIST AI RMF compliance |
| Enforcement | Texas AG only (no private right of action) |
| Notice to cure | Required before enforcement action |
| Penalties | $10K-$12K/violation (curable); $80K-$200K (uncurable); $2K-$40K/day (continuing) |
TL;DR: Texas TRAIGA (Responsible AI Governance Act, HB 149) took effect January 1, 2026. The signed law is substantially narrower than earlier drafts. For private sector: prohibited uses (behavioral manipulation, discrimination, non-consensual deepfakes, CSAM) apply with an intent standard. No impact assessments, documentation packages, or consumer notices are required of private sector entities, those obligations were removed before passage. Government entities must disclose AI use and are banned from social scoring. Safe harbor: substantial NIST AI RMF compliance. Enforcement: Texas AG only, $10k-$200k per violation, 60-day cure period. No private right of action.
Step 1: Determine if TRAIGA applies to you
TRAIGA applies if you:
- Develop AI systems deployed to Texas residents
- Deploy AI systems used by Texas residents
- Conduct business in Texas using AI systems
- Market AI systems into Texas
Out of scope: Academic research, national security applications, and AI systems used solely for internal testing without consumer interaction.
Step 2: Prohibited uses, absolute prohibitions
TRAIGA prohibits developing or deploying AI systems with intent to:
| Prohibited use | Notes |
|---|---|
| Behavioral manipulation toward self-harm, harm to others, or criminal activity | "Intent" required, accidental misuse is different from designed manipulation |
| Discrimination against protected classes | Unlawful discrimination, not disparate impact per se |
| Infringement of constitutional rights | Applies to state actors; private entities: follow your anti-discrimination obligations |
| Non-consensual deepfakes of identifiable individuals | Video, audio, image, sexual content and otherwise |
| Child sexual abuse material (CSAM) | Absolute prohibition regardless of intent standard |
| Encouraging or facilitating serious criminal activity | Covers AI-assisted fraud, cyberattacks, and similar |
Red-flag checklist:
- Have you reviewed your system's outputs for manipulation pathways?
- Do your terms of service explicitly prohibit deepfake generation of real individuals?
- Are CSAM filters implemented at the model layer, not just the UI layer?
Step 3: Private sector, what TRAIGA does NOT require
Important: Earlier draft legislation (HB 1709) included mandatory impact assessments, developer documentation packages, governance programs, and consumer notices for all private sector entities. None of these provisions survived into HB 149, the law that was actually signed. If you are reading compliance guides based on the earlier drafts, they describe requirements that do not exist under current Texas law.
For private sector developers and deployers, TRAIGA's only substantive obligations are:
- Do not engage in prohibited uses (Step 2 above)
- Qualify for the safe harbor if you want to limit enforcement exposure (Step 4 below)
There is no private sector requirement to:
- Provide system documentation packages to deployers
- Conduct pre-deployment impact assessments
- Implement a formal AI governance program
- Give consumer notices before AI interactions
- Maintain human oversight for high-stakes decisions
These remain best practices, and the NIST AI RMF safe harbor creates an incentive to implement them, but they are not mandatory under HB 149.
Step 4: Government entity obligations
Texas government agencies (state and local) face stricter requirements under TRAIGA:
- AI disclosure: Disclose to individuals when they are interacting with an AI system or when AI is used in a decision affecting them, required before or at time of interaction
- Social scoring ban: State agencies may not use AI to assign social scores that determine access to government benefits, services, or rights
- Constitutional AI ban: State agencies may not deploy AI systems that systematically infringe constitutional rights
If you are a vendor selling AI systems to Texas government agencies, your contractual obligations with the agency (not TRAIGA directly) will typically require you to support their compliance with these provisions.
Step 5: NIST AI RMF safe harbor, the main enforcement lever for private sector
Substantial compliance with the NIST AI Risk Management Framework (RMF 1.0) is an affirmative defense against TRAIGA enforcement. The Texas AG cannot bring an action against an organisation that demonstrates good-faith, documented NIST AI RMF compliance.
To qualify for the safe harbor:
- Formally adopt the NIST AI RMF, document the adoption decision
- Complete GOVERN, MAP, MEASURE, and MANAGE functions for material AI systems
- Maintain records of assessments, results, and actions taken
- Make records available to the Texas AG on request
Note: Citing NIST without documented implementation does not qualify. The AG will ask for evidence.
Step 6: Enforcement and penalties
| Element | Detail |
|---|---|
| Who enforces | Texas Attorney General (exclusive, no private right of action) |
| Notice requirement | AG must provide written notice and opportunity to cure before filing |
| Cure period | 60 days (statute-specified) |
| Penalty range | $10K-$12K (curable not cured); $80K-$200K (uncurable); $2K-$40K/day (continuing) |
| Escalation | Violations submitted as cured but recurring carry higher uncurable penalty tier |
| Market action | AG can seek injunctions requiring a system to be taken offline |
What triggers enforcement: Complaints from Texas residents or agencies, AG-initiated investigations, and referrals from other state regulators. Intent to harm or discriminate must be demonstrable, accidental harms alone do not trigger liability.
Federal preemption note
The Trump administration's December 2025 executive order directed a federal AI framework intended to preempt inconsistent state laws. As of May 2026, no federal statute implementing preemption has been enacted. TRAIGA is in force and the Texas AG is enforcing it. Consult counsel if you are operating under an assumption that federal preemption protects you, it does not yet.
Practical next steps for small teams
- Run the scope check (Step 1), confirm whether TRAIGA applies at all
- Audit your AI systems against the prohibited uses in Step 2, document the review and your intent-based analysis
- Download the NIST AI RMF 1.0 and formally adopt it, the safe harbor is the primary enforcement risk reduction tool
- Maintain adoption records, document framework assessments, results, and mitigations; the AG can request these
- Check your AI vendor contracts, if you are selling to Texas state agencies, expect agency contracts to require TRAIGA-aligned government-entity compliance support
Note: Impact assessments, governance programs, and consumer notices are not required under HB 149 but are worth implementing as NIST AI RMF deliverables that support the safe harbor. Teams that complete GOVERN, MAP, MEASURE, and MANAGE documentation for their AI systems will have a defensible compliance record regardless of how state AI law evolves over the next legislative cycle. The NIST framework also gives you a common vocabulary for conversations with enterprise customers, many of whom now include AI governance attestations in vendor questionnaires.
Related reading
- AI risk assessment for small teams
- AI vendor due diligence in 30 minutes
- Connecticut AI law 2026, another active state AI law
- Colorado AI Act SB 189 rewrite, Colorado's revised framework
References
- Texas Legislature, Responsible Artificial Intelligence Governance Act (HB 149)
- Norton Rose Fulbright, The Texas Responsible AI Governance Act: What your company needs to know
- Baker Botts, Texas Enacts Responsible AI Governance Act: What Companies Need to Know
- IAPP, Texas Responsible AI Governance Act compliance: A sample policy framework
