Last reviewed: April 26, 2026
Key Takeaways
- The Texas Responsible AI Governance Act (TRAIGA, HB 149) took effect on January 1, 2026. It is already enforceable.
- TRAIGA is not a comprehensive AI regulation like Colorado’s AI Act. It prohibits specific harmful AI uses — CSAM, behavioral manipulation, government social scoring, biometric capture without consent — with an intent-based liability framework.
- Enforcement is Texas AG exclusive with a 60-day cure period for curable violations. No private right of action. Penalties range from $10,000-$12,000 for curable violations to $80,000-$200,000 for uncurable violations.
- The law was significantly narrowed during the legislative process. The original bill proposed a broad duty-of-care framework similar to the EU AI Act. What passed focuses on prohibited harms, not comprehensive governance.
- Federal preemption remains a risk: the White House’s March 2026 legislative framework proposes overriding state AI laws, and the AG-led AI Litigation Task Force was created to challenge them.
What TRAIGA Is
The Texas Responsible AI Governance Act (House Bill 149) was signed by Governor Greg Abbott on June 22, 2025 and took effect on January 1, 2026. It is the second major state-level AI law in the US, after Colorado’s AI Act (SB 24-205, effective June 30, 2026).
The critical context: what passed is far narrower than what was introduced. The original bill proposed a comprehensive duty-of-care framework with mandatory impact assessments, risk management policies, and consumer rights — structurally similar to the EU AI Act. During the legislative process, industry lobbying and committee amendments stripped most of these provisions. What survived is a prohibited-harms framework with intent-based liability.
Multiple law firm analyses (Baker Botts, Nelson Mullins, Sidley Austin) confirm this narrowing. It is not an echo chamber — independent legal teams analyzing the bill text reached the same conclusion.
Who TRAIGA Applies To
TRAIGA applies to developers and deployers of AI systems operating in Texas. Unlike Colorado, it does not distinguish between these roles with separate obligation sets.
The law covers AI systems that are designed to or could reasonably be expected to:
- Incite self-harm or criminal activity
- Generate child sexual abuse material or deepfake child exploitation content
- Enable government social scoring
- Capture biometric identifiers without consent
- Manipulate behavior through deceptive means
- Make discriminatory decisions based on protected characteristics
If your AI system does not fall into these categories, TRAIGA’s direct prohibitions do not apply. However, the disclosure requirements for state agencies using AI apply more broadly.
Geographic scope: Any entity deploying AI systems to Texas residents or within Texas, regardless of where the entity is headquartered.
Key Requirements
Prohibited Uses
TRAIGA explicitly prohibits deploying AI systems designed for:
1. Harm to minors. AI systems that generate, distribute, or facilitate child sexual abuse material, including AI-generated (deepfake) exploitation content. This aligns with the federal TAKE IT DOWN Act (signed May 2025) but operates at the state enforcement level.
2. Behavioral manipulation. AI systems designed to manipulate a person’s behavior through deceptive means, causing or likely to cause physical or financial harm. The intent requirement is important: accidental manipulation or standard recommendation algorithms are not targeted.
3. Government social scoring. Prohibits Texas government agencies from deploying AI systems that score citizens’ general trustworthiness based on social behavior or inferred personality traits. This mirrors concerns raised about China’s social credit infrastructure, adapted to the US context.
4. Biometric capture without consent. Bans capturing biometric identifiers — fingerprints, voiceprints, iris scans, facial geometry — without the individual’s informed consent. Texas already had one of the strongest biometric privacy laws (CIPA), under which Meta settled for $1.4 billion in July 2024. TRAIGA reinforces this in the AI context.
5. Discriminatory decisions. Prohibits AI systems designed to make decisions based on protected characteristics (race, sex, religion, national origin, disability, age) where those decisions affect employment, housing, credit, education, or other consequential domains.
State Agency Disclosure
Texas state agencies using AI systems in decision-making must disclose that AI is being used and provide information about the system’s purpose and scope. This transparency requirement applies regardless of the specific prohibited-use categories.
Intent-Based Liability
TRAIGA’s liability framework requires intent or knowledge. The law targets AI systems “designed to” perform prohibited functions or that the deployer “knew or reasonably should have known” would be used for prohibited purposes. This is a higher bar than Colorado’s duty-of-care standard, which applies regardless of intent and focuses on algorithmic discrimination outcomes. For the broader US liability picture, see our AI liability guide.
Penalties and Enforcement
| Violation Type | Penalty Range | Details |
|---|---|---|
| Curable violations | $10,000-$12,000 per violation | 60-day cure period after AG notice |
| Uncurable violations | $80,000-$200,000 per violation | No cure period; immediate enforcement |
| Continuing violations | $2,000-$40,000 per day | For ongoing non-compliance |
| Additional | Injunctive relief | AG may seek court orders to halt operations |
| Additional | Attorney’s fees + court costs | Recoverable by the state |
Enforcement body: Texas Attorney General exclusively. No private right of action — individuals cannot sue directly under TRAIGA. This is the same enforcement model as Colorado (AG-exclusive) and contrasts with Washington’s HB 2225 (chatbot safety), which includes a private right of action.
The 60-day cure period: For curable violations, the AG must provide written notice and allow 60 days to remedy the violation before penalties apply. This favors organizations with documented compliance programs that can demonstrate good-faith correction.
TRAIGA vs. Colorado AI Act vs. EU AI Act
For the EU’s risk-classification approach contrasted here, see our EU AI Act Annex III guide.
| Dimension | Texas TRAIGA | Colorado AI Act | EU AI Act |
|---|---|---|---|
| Effective date | January 1, 2026 | June 30, 2026 | Phased: Feb 2025-Aug 2027 |
| Approach | Prohibited harms (narrow) | Duty of care (broad) | Risk classification (comprehensive) |
| Scope | Specific prohibited uses | All high-risk AI in 8 domains | All AI systems by risk tier |
| Impact assessments | Not required | Required for all high-risk AI | Required (FRIA for deployers) |
| Risk management policy | Not required | Not explicitly required | Required (Art. 9) |
| Penalties | $10K-$200K per violation | Up to $20K per violation | Up to EUR 35M or 7% turnover |
| Private right of action | No | No | No (but member states may) |
| Enforcement | TX AG exclusive | CO AG exclusive | National authorities + EU AI Office |
| NIST AI RMF defense | Not referenced | Explicit affirmative defense | Not directly referenced |
| Liability standard | Intent-based | Outcome-based (algorithmic discrimination) | Obligation-based (provider/deployer duties) |
The fundamental difference: Colorado asks “did your AI system cause discriminatory outcomes?” regardless of intent. Texas asks “did you design or knowingly deploy an AI system to cause harm?” The EU asks “did you meet your obligations as a provider or deployer?”
For organizations operating in both Texas and Colorado, Colorado’s broader requirements will be the binding constraint. TRAIGA compliance alone is insufficient for Colorado, but Colorado compliance covers most of what TRAIGA requires.
Compliance Checklist
If you deploy AI systems in Texas, here is what to verify:
1. Audit for prohibited uses. Review every AI system your organization deploys for alignment with the five prohibited categories. Document this review.
2. Check biometric processing. If any AI system processes biometric data (facial recognition, voice analysis, fingerprint scanning), verify you have informed consent from affected individuals. Texas’s existing CIPA law already requires this; TRAIGA reinforces it.
3. Review discrimination controls. For AI systems involved in consequential decisions (hiring, lending, housing, insurance), document what controls prevent discriminatory outputs. Under TRAIGA’s intent-based framework, having documented controls demonstrates good faith.
4. State agency disclosure. If you supply AI systems to Texas state agencies, ensure the agency has mechanisms to disclose AI use to affected individuals.
5. Document intent and design purpose. TRAIGA’s intent-based liability means documentation matters. Maintain records showing: (a) the intended purpose of each AI system, (b) what the system was designed to do and not do, (c) any foreseeable misuse scenarios and mitigations.
6. Establish a cure process. If the AG sends a violation notice, you have 60 days to cure. Have an incident response process ready: who receives notices, who evaluates, who implements remediation.
7. Monitor federal preemption. The White House’s March 2026 legislative framework proposes preempting state AI laws. If Congress acts, TRAIGA could be overridden. Track Congressional activity on AI preemption language.
8. Align with NIST AI RMF. While TRAIGA does not reference NIST specifically (unlike Colorado), implementing the NIST AI Risk Management Framework provides a documented governance structure that supports compliance with any state AI law — and creates Colorado’s affirmative defense if you operate there too.
What TRAIGA Does Not Require
Practitioners should be equally clear about what TRAIGA does not impose:
- No mandatory impact assessments. Unlike Colorado and the EU AI Act, TRAIGA does not require algorithmic impact assessments or risk assessments for AI systems.
- No risk classification system. There is no equivalent of Colorado’s “high-risk” definition or the EU’s Annex III categories.
- No data governance requirements. TRAIGA does not impose training data documentation, quality controls, or transparency about datasets.
- No conformity assessment. No testing, certification, or third-party audit requirements.
- No incident reporting. No obligation to report AI-related incidents to the AG or any regulatory body.
These gaps are not oversights — they reflect the legislative compromise that narrowed the original bill. Organizations that implement only TRAIGA’s requirements will have minimal AI governance. For robust protection, implement NIST AI RMF as a governance foundation and layer state-specific requirements on top.
What to Do Now
1. Complete the prohibited-use audit. If you have not already reviewed your AI systems against TRAIGA’s five prohibited categories, this is overdue — the law took effect January 1, 2026.
2. Verify biometric consent workflows. Texas’s combined CIPA + TRAIGA biometric framework is one of the strictest in the US. The $1.4 billion Meta settlement under CIPA demonstrates that Texas enforces these provisions aggressively.
3. Build for Colorado too. If your AI systems serve users in both Texas and Colorado, build your compliance program to Colorado’s higher standard (effective June 30, 2026). Colorado compliance inherently covers TRAIGA.
Related Reading
US AI Regulation Series:
- NIST AI Risk Management Framework — The governance foundation that supports TRAIGA good-faith defense
- AI Liability in the US — How TRAIGA fits into the broader US liability landscape
- White House AI Framework 2026 — The federal preemption push that could override TRAIGA
- Colorado AI Act 2026: What Developers and Deployers Must Do — the closest US state analogue to EU Annex III; KILO draft watch
- SEC and AI: What Financial Firms Need to Know — sector enforcement playbook, six AI washing cases
- EU vs US AI Regulation: The Definitive Comparison — cross-jurisdiction picture, NIST RMF as bridge, Digital Omnibus status
- Colorado High-Risk AI Classifier (interactive tool) — test your AI system against SB 24-205 in six questions
- Illinois AI Employment Law 2026: AIVICA + HB 3773 — disparate-impact standard with private right of action via IHRA
- NYC Local Law 144: AI Bias Audit Guide — first US mandatory bias audit; DCWP enforcement now active
- FDA AI Medical Devices: PCCP + EU AI Act Comparison — 1,451+ AI devices authorized; PCCP framework for adaptive AI
EU Comparison:
- EU AI Act Annex III — The risk-classification approach TRAIGA’s narrowed bill rejected
Sources
Primary Sources
- Texas HB 149, Texas Responsible AI Governance Act (TX Legislature Online)
- Governor Abbott signing statement, June 22, 2025
- Texas Attorney General enforcement authority, Texas Business & Commerce Code
Analysis
- Baker Botts, “Texas AI Governance Act: What You Need to Know” (June 2025)
- Nelson Mullins, “TRAIGA Analysis: Narrowed Scope, Intent-Based Liability” (June 2025)
- Sidley Austin, “Texas Passes Responsible AI Governance Act” (June 2025)
- Fisher Phillips, “State AI Laws: A Comprehensive Review” (January 2026)
Cross-References
- Colorado SB 24-205 (leg.colorado.gov)
- EU AI Act, Regulation (EU) 2024/1689
This article provides general information about AI regulation and does not constitute legal advice. Laws and policies change frequently. Consult qualified legal counsel for compliance decisions specific to your organization.