TRAIGA: A Plain-English Guide to the Texas Responsible AI Governance Act
The Texas Responsible Artificial Intelligence Governance Act — TRAIGA, enacted as House Bill 149 — is Texas's first comprehensive AI law. Governor Greg Abbott signed it on June 22, 2025; it took effect January 1, 2026. TRAIGA sets prohibited uses that apply to every entity operating in Texas, layers disclosure requirements on government agencies and healthcare providers, and gives the Texas Attorney General exclusive enforcement authority with tiered civil penalties reaching $200,000 per uncurable violation.
What TRAIGA does
TRAIGA operates on two tracks: universal prohibitions that apply to everyone, and disclosure duties that apply only to specific entity types.
The prohibited uses apply to any person or entity. No one may deploy an AI system with the intent to behaviorally manipulate users into self-harm or criminal activity, infringe constitutional rights, commit intentional and unlawful discrimination (disparate impact alone is insufficient), or generate child sexual content or deepfakes. Government entities face two additional prohibitions: social scoring and biometric identification without consent.
The disclosure duties are narrower. State and local government agencies must tell consumers — before or at the time of interaction, in plain English, free of dark patterns — when an AI system is involved. Healthcare providers must disclose AI use in treatment on the date of service, or as soon as reasonably possible in emergencies. Private non-healthcare businesses face no consumer-facing AI disclosure requirement; that provision was removed from the final bill.
TRAIGA also preempts any city or county AI ordinance, establishing a single statewide standard rather than a patchwork of local rules (Tex. Bus. & Comm. Code § 552.003).
Read the full overview: Texas Enacts One of the Nation's First Comprehensive AI Laws
Who TRAIGA applies to
TRAIGA's geographic reach is broad. Any person or entity that promotes, advertises, or conducts business in Texas; produces products or services used by Texas residents; or develops or deploys an AI system in Texas is covered — regardless of where it is headquartered (Tex. Bus. & Comm. Code § 551.002(1)–(3)).
The statute defines "AI system" expansively: any machine-based system that, for any explicit or implicit objective, infers from its inputs how to generate outputs — content, decisions, predictions, or recommendations — that can influence physical or virtual environments. Most enterprise AI deployments fit that definition.
What is out of scope: B2B and employment-context AI interactions are explicitly excluded. TRAIGA does not impose disclosure, notice, or nondiscrimination requirements for employee or commercial interactions — only consumer-facing AI is in scope.
Key exemptions from the anti-discrimination provision:
- Insurers subject to state insurance laws prohibiting unfair discrimination are exempt (§ 552.056(d)).
- Federally insured financial institutions complying with applicable federal and state banking law are deemed compliant (§ 552.056(e)).
- Hospital districts and institutions of higher education are excluded from the government-agency AI disclosure requirement (§ 552.001(1)–(2)).
- Biometric data used for fraud prevention and cybersecurity training is carved out.
Full scope guide: Does TRAIGA Apply to Your Business?
What TRAIGA requires
For covered entities, the core compliance tasks fall into two categories: prohibitions (universal) and disclosure (entity-specific).
For government agencies: Consumer-AI disclosure must be clear, conspicuous, in plain English, and free of dark patterns. No consumer consent is required — just timely notice.
For healthcare providers: Disclose AI use in treatment at the date of service or as soon as reasonably possible in emergencies. That notice may be embedded in standard patient intake forms.
For all covered entities: If the AG opens an investigation, it can issue a Civil Investigative Demand (CID) requiring AI system descriptions, intended use, training data categories, inputs and outputs, performance metrics, known limitations, post-deployment monitoring records, and user safeguard measures (§ 552.103). Companies that cannot respond face additional exposure on top of the underlying allegation.
TRAIGA provides explicit affirmative defenses. Entities are protected when they discover violations through red-teaming or adversarial testing; conduct an internal review using the NIST AI Risk Management Framework; follow state agency guidance; or act on developer, deployer, or stakeholder feedback. A third-party misuse carveout also applies: a developer or deployer cannot be held liable simply because an end user deploys an AI system for a prohibited purpose.
Detailed compliance steps: TRAIGA Compliance Checklist for Texas General Counsel
Penalties
TRAIGA's civil penalties are tiered, not flat (Tex. Bus. & Comm. Code § 552.105(a)):
- Curable violations: $10,000–$12,000 per violation
- Uncurable violations: $80,000–$200,000 per violation
- Continuing violations: $2,000–$40,000 per day
- Agency sanctions against licensed persons (at AG recommendation): up to $100,000
The statute does not define what makes a violation curable versus uncurable. That line — the difference between a $10,000–$12,000 penalty and an $80,000–$200,000 one — will, as Norton Rose Fulbright noted in March 2026, be "developed by experts, the courts and the resulting common law." The first companies to receive violation notices will write those rules.
One practical implication: entities have 60 days after receiving an AG notice of violation to cure and submit a written explanation of the cure and any policy changes. Norton Rose Fulbright has cautioned that 60 days "may be insufficient time to 'cure' a violation of TRAIGA, particularly because a 'cure' might mean that the party must substantially modify an AI system." In practice, a violation notice can function as a cease-and-desist.
Why the penalties matter in practice: What Texas Companies Get Wrong About TRAIGA Readiness
Enforcement
The Texas Attorney General holds exclusive enforcement authority under TRAIGA. There is no private right of action (Tex. Bus. & Comm. Code § 552.101).
The enforcement path runs in five steps: a consumer files a complaint through the AG's online portal → the AG may issue a CID → if a violation is found, the entity receives a notice → 60-day cure window → if uncured, the AG seeks civil penalties in court. The AG is prohibited from bringing a civil penalty action against an AI system that has not yet been deployed (§ 552.105(f)).
As of late June 2026, no publicly reported TRAIGA enforcement actions or civil investigative demands have been filed. The AG's office has been building enforcement infrastructure since the law was signed — staffing, technical capacity, and agency disclosure training. The complaint portal has a statutory deadline of September 1, 2026 to go live; practitioners are treating that date as the enforcement inflection point.
AG Ken Paxton's office has demonstrated appetite for AI-adjacent enforcement: it launched investigations into Character.AI, Reddit, Instagram, and Discord in 2024 and created a specialized data privacy enforcement team in June 2024.
The DIR regulatory sandbox
TRAIGA authorizes the Texas Department of Information Resources (DIR) to run an AI regulatory sandbox — a formal testing program that lets companies develop and test AI without needing to first clear separate state licensing or regulatory authorization.
Sandbox participation gives two concrete protections: the AG cannot file enforcement charges for violations of state laws waived for sandbox purposes, and state agencies cannot impose fines or suspend licenses for those same waived requirements during the testing period. The testing window runs up to 36 months; DIR may extend for good cause.
Oversight sits with the Texas Artificial Intelligence Council — a seven-member body appointed by the governor, lieutenant governor, and speaker of the House, administratively attached to DIR. Participants file quarterly performance and risk reports; DIR submits annual reports to the legislature with outcomes and policy recommendations. DIR maintains confidentiality of trade secrets and sensitive information submitted by applicants.
What the sandbox does not waive: TRAIGA's four core prohibitions — behavioral manipulation, constitutional-rights infringement, intentional unlawful discrimination, and child sexual content bans — still apply during sandbox participation. The sandbox relieves only separate licensing and regulatory requirements, not core TRAIGA obligations.
As of June 2026, the sandbox is authorized by law and in effect. Whether DIR has published application forms or begun accepting participants has not been confirmed; builders should check directly at dir.texas.gov.
Full sandbox guide: What Texas's AI Regulatory Sandbox Offers Builders
How Texas compares to Colorado and the EU
Three major AI legal regimes are now in force — or imminently becoming so — and they operate on fundamentally different logics.
| Dimension | TRAIGA (Texas) | Colorado SB 26-189 | EU AI Act |
|---|---|---|---|
| Effective date | Jan 1, 2026 | Jan 1, 2027 | Phased: Feb 2025–Aug 2027+ |
| Framework | Prohibition-based (intent required) | Disclosure + consumer rights | Risk-based tiered |
| Enforcer | TX AG exclusively | CO AG exclusively | National authorities + EU AI Office |
| Private right of action | No | No | No (complaint mechanism only) |
| Disclosure duties | Gov agencies + healthcare providers only | All covered ADMT in 7 domains | Varies by risk tier |
| Impact assessments | No | No (eliminated) | Yes (high-risk systems) |
| NIST safe harbor | Yes (explicit) | No | No |
| Max penalty | $200,000/uncurable violation | Not yet specified | EUR 35M or 7% global revenue |
Colorado's original AI Act (SB 24-205) — a risk-tiered law modeled on the EU — was repealed in its entirety. On May 14, 2026, Governor Polis signed SB 26-189, replacing it with a narrower disclosure-and-rights model effective January 1, 2027. The repeal passed 34–1 in the Colorado Senate and 57–6 in the House, following a federal court stay and DOJ intervention triggered by a December 2025 White House executive order critical of Colorado's approach.
The EU AI Act entered into force August 1, 2024, with a phased rollout: prohibited AI practices have been enforceable since February 2, 2025; GPAI model rules since August 2, 2025; most high-risk AI system obligations take effect August 2, 2026. EU penalties for prohibited practices reach the greater of EUR 35 million or 7% of global annual turnover. A political agreement to streamline certain obligations was reached May 7, 2026, but formal EU Parliament and Council adoption had not been confirmed as of publication.
Full comparison: Texas, Colorado, and the EU Just Diverged on AI Law. Here's the New Map.
Frequently asked questions
When does TRAIGA take effect?
TRAIGA took effect January 1, 2026. Governor Greg Abbott signed HB 149 on June 22, 2025, giving organizations roughly six months to prepare before the law became operative.
Does TRAIGA apply to small businesses?
TRAIGA's prohibited-use provisions apply to any entity that develops or deploys AI in Texas or offers AI-powered products or services to Texas residents — there is no small-business exemption from the core prohibitions. However, for most private non-healthcare companies, the immediate practical burden is lighter than the law's headline suggests: there is no consumer-facing AI disclosure requirement for private businesses, and B2B and employment-context AI interactions are explicitly out of scope.
What are the penalties under TRAIGA?
Penalties are tiered, not flat. Curable violations carry $10,000–$12,000 per violation; uncurable violations carry $80,000–$200,000 per violation; continuing violations accrue at $2,000–$40,000 per day. Separately, the AG may recommend agency sanctions of up to $100,000 against licensed persons. The statute does not yet define what distinguishes a curable from an uncurable violation — that line will be drawn by early enforcement and common law.
Is there a private right of action under TRAIGA?
No. TRAIGA provides no private right of action (Tex. Bus. & Comm. Code § 552.101). Enforcement authority belongs exclusively to the Texas Attorney General. Individuals cannot sue companies directly under TRAIGA; they can file complaints through the AG's portal, which the statute requires to be live by September 1, 2026.
How is TRAIGA different from Colorado's AI Act?
Colorado repealed its original AI Act (SB 24-205) entirely in May 2026 and replaced it with SB 26-189, effective January 1, 2027. Texas TRAIGA is already in effect and uses a prohibition-based, intent-required framework with disclosure duties only for government agencies and healthcare providers. Colorado's replacement law uses a disclosure-and-consumer-rights model covering seven sectors, with no impact assessments. Neither law creates a private right of action.
What is the DIR regulatory sandbox?
TRAIGA authorizes the Texas Department of Information Resources to administer a regulatory sandbox — a formal testing program offering up to 36 months of AI development without needing separate state licensing, with AG enforcement paused during participation. Core TRAIGA prohibitions still apply. As of June 2026, the sandbox is authorized but whether DIR has published application forms or begun accepting participants has not been confirmed.
Does TRAIGA apply to employers using AI in hiring?
TRAIGA does not impose disclosure, notice, or nondiscrimination requirements in employment or B2B contexts. AI used in hiring, performance management, or other internal employment decisions is out of scope for the disclosure obligations. The universal prohibited uses — behavioral manipulation, constitutional rights infringement, intentional unlawful discrimination — still apply to any context, including employment, though the disclosure and notice machinery does not.
This guide was published by Matt Bertram and reflects verified facts as of June 26, 2026. Texas AI Report follows strict editorial standards for YMYL legal and regulatory content; every factual claim traces to a named primary or secondary source. For our full editorial policy, see /editorial-standards. This page is analysis and commentary, not legal advice.