Texas's AI Law Is Now in Force: What TRAIGA Actually Requires of Founders and In-House Counsel

If you have been bracing for a Texas version of the European Union's sprawling AI rulebook, you can exhale. The law that actually arrived is narrower, sharper, and already binding.

Texas has an AI law now — and it is not the EU AI Act

On June 22, 2025, Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA, into law as House Bill 149. The statute took effect on January 1, 2026, and is captioned as "relating to regulation of the use of artificial intelligence systems in this state; providing civil penalties." Authored in the House by Rep. Giovanni Capriglione and sponsored in the Senate by Sen. Charles Schwertner, it makes Texas one of the first states to enact a comprehensive AI statute.

The version that became law is not the one many observers expected. TRAIGA is the pared-back successor to HB 1709, an earlier bill modeled on the EU AI Act and the Colorado AI Act that centered on "high-risk" AI systems, mandatory impact assessments, and consumer notice obligations. As the bill moved through the 89th Legislature, those features were stripped out. The enacted text removed requirements for private companies to notify consumers when they interact with AI systems and to conduct impact assessments, among other provisions.

What remains is a deliberately different model. Rather than building a comprehensive high-risk regime around documentation and disclosure, the final law focuses on intent-based prohibitions. Employers, in particular, are no longer required to conduct impact assessments or to disclose AI use to applicants and employees.

Who TRAIGA actually reaches

The jurisdictional hooks are wide. TRAIGA applies to any person or entity that promotes, advertises, or conducts business in Texas; that produces a product or service Texas residents use; or that develops or deploys an artificial intelligence system in Texas. Read that middle trigger carefully: it pulls in out-of-state companies that never set foot in Texas but have Texans as users. A Delaware-incorporated, San Francisco-based startup is covered the moment its product is used by Texas residents.

To make the reach concrete:

• A California or Delaware startup with Texas users is covered, because its product or service is used by Texas residents.
• Any company that advertises or does business in Texas is covered, regardless of where it sits.
• Building or running an AI system inside Texas is covered on its own, even before you have a single customer.

The definition of what counts as an "artificial intelligence system" is equally broad. TRAIGA borrows the OECD-style framing: any machine-based system that, for any explicit or implicit objective, infers from the inputs it receives how to generate outputs — content, decisions, predictions, or recommendations — that can influence physical or virtual environments. If you have wondered whether your recommendation engine, your scoring model, or your generative feature qualifies, assume it does and work backward from there.

Two boundaries narrow the picture. First, a "consumer" under the statute is a Texas resident acting only in an individual or household context, so purely B2B interactions sit outside the consumer-protective provisions. Second, the law also reaches Texas state and local government entities, which carry the most restrictive duties of all — a point worth flagging now because those obligations come up later. The practical takeaway: jurisdiction is the easy part to trigger, and the harder questions are about substance.

What's prohibited — and why "intent" is the whole ballgame

TRAIGA does not police outcomes. It polices purpose. Every one of its four core prohibitions turns on what you intended your AI system to do, not on what the system actually did once deployed. According to Perkins Coie's analysis of the enacted statute, a person may not develop or deploy an AI system:

• with the intent to manipulate human behavior to incite or encourage self-harm, harm to another person, or criminal activity;
• with the intent to unlawfully discriminate against a protected class in violation of state or federal civil-rights law;
• with the sole intent to produce or distribute child sexual abuse material or certain unlawful sexually explicit deepfakes; and
• with the sole intent to infringe, restrict, or otherwise impair an individual's rights guaranteed under the U.S. Constitution.

Read those qualifiers closely, because they do most of the work. Two prohibitions require sole intent, and the discrimination provision requires intent specifically — not effect. As K&L Gates notes, disparate impact alone is not enough to establish the discriminatory intent TRAIGA demands. Norton Rose Fulbright reaches the same reading: "evidence of 'disparate impact' is not enough to demonstrate such an intent." That is a sharp departure from disparate-impact liability regimes, and it is widely read to narrow algorithmic-bias exposure in hiring and lending.

The practical upshot: most ordinary AI deployment is not prohibited under TRAIGA. But the intent gate does not mean you can ignore the statute. The Texas Attorney General can issue civil investigative demands compelling a system description, intended use and purpose, training data, inputs, outputs, performance metrics, and known limitations — and, per the IAPP's summary of the enforcement scheme, may issue those demands without first sending a notice of violation when a complaint arrives through the online portal. So intent protects you only if you can document it. The fourth prohibition deserves a separate flag: the constitutional-rights provision has no direct EU or Colorado analog, and its practical contours are untested.

The duties most businesses will actually touch: disclosure and biometrics

The prohibitions in the prior section apply across the board, but the affirmative duties under TRAIGA are narrower than the early drafts suggested. The plain-language consumer-notice obligation — telling people before they interact with an AI system — along with the bans on AI "social scoring" and biometric identification without consent, fall on government entities, not private firms. The earlier version of the bill (HB 1709) would have reached private companies; the enacted version (HB 149) narrowed that consumer-AI-notice duty out of the private sector. If you run a startup, that duty is not yours to carry.

Disclosure

One affirmative disclosure duty does reach the private sector: healthcare providers. If your company provides healthcare services or treatments, you must clearly and conspicuously disclose your use of AI systems in certain patient-facing contexts. For most software founders this is a non-issue — but if your product touches care delivery, treat it as a live requirement, not a courtesy.

Biometrics

The part with the broadest reach is what TRAIGA does to Texas's biometric privacy law (CUBI). It adds carve-outs: training, processing, or storing biometric identifiers to develop or offer an AI model or system is exempt — unless the system is used to uniquely identify a specific individual. There is also an exemption for AI built to prevent, detect, or respond to security incidents, identity theft, fraud, harassment, or other illegal activity.

The trap is in the consent rule. An individual is not deemed to consent to capture or storage of their biometric identifiers solely because a publicly available image containing those identifiers exists — unless that individual made the image public themselves. Scraping public photos to train a face-identification model therefore does not imply consent. The statute does not define what makes an image "publicly available," so where third-party reposts and platform uploads land is an open question your counsel should flag.

Enforcement, penalties, and the safe harbor you should build toward

Start with the reassuring part. TRAIGA is enforced exclusively by the Texas Attorney General, and the statute creates no private right of action. Members of the public can lodge complaints through an online portal, but they cannot sue you over an AI system. That keeps your exposure concentrated in one place rather than scattered across plaintiffs' firms, which is a meaningful difference from how privacy and consumer-protection litigation usually unfolds.

There is also a built-in off-ramp. Before the AG pursues enforcement, it must provide written notice and a 60-day cure period. If you fix the violation within that window, you avoid the penalty entirely. The one wrinkle: the AG's authority is exclusive except as to certain state licensing agencies, so a licensed entity can also face administrative sanctions through its regulator, up to and including license suspension.

The numbers are where the calm should turn into focus, because the tiers escalate quickly once a problem becomes uncurable or runs day after day.

The actionable centerpiece is the affirmative defense. You can raise substantial compliance with the NIST AI Risk Management Framework (or a comparable recognized standard), paired with discovering the violation through internal testing or a good-faith audit. A separate defense applies where a third party, not your company, misused the system in a prohibited way. Building toward the NIST framework now is the single most concrete thing your team can do to convert a potential penalty into a documented defense.

Two structural features round out the regime. TRAIGA establishes a regulatory sandbox that lets approved participants operate for up to 36 months with the AG restricted from certain enforcement during participation, and a seven-member Texas Artificial Intelligence Council that, notably, has no binding rulemaking authority. Treat both as context rather than compliance obligations.

Actionable Next Steps

TRAIGA does not reward teams that wait for an enforcement letter. Because liability turns on intent and the Attorney General is the sole enforcer, the work that protects you is the work you can document before anyone asks. The following sequence converts everything above into a defensible governance posture, ordered roughly by what you should tackle first.

1. Inventory every AI system that touches Texans, and classify each as developer or deployer. Map which systems serve Texas users, then label your role for each one so you know which obligations attach.
2. Document the intent and deployment purpose of each system. Put written AI policies in place that capture intended use, internal review, and input/output tracking. Liability under TRAIGA turns on intent, and the Attorney General can demand the underlying documentation, so this record is your first line of defense. See Norton Rose Fulbright's analysis of the documentation expectations.
3. Pressure-test high-stakes decisioning tools against the intent-based discrimination prohibition. For hiring, lending, and eligibility systems, do not rely on disparate-impact metrics alone; be ready to show benign intent behind the design and deployment, as K&L Gates explains.
4. Add the healthcare AI-use disclosure if you provide healthcare services. Implement a clear-and-conspicuous notice that AI is involved in the service, consistent with Perkins Coie's read of the disclosure rule.
5. Review biometric and training-data practices against the CUBI consent rule. Confirm that publicly available images are not being treated as consent; under the rule, public availability does not imply consent unless the subject made the data public, per WilmerHale's summary.
6. Adopt and document substantial compliance with the NIST AI Risk Management Framework, paired with internal testing and audits. This is the affirmative defense the statute offers, so the documentation matters as much as the controls themselves, as Greenberg Traurig details.
7. If you also serve EU users, coordinate this work with your EU AI Act posture. This is practical efficiency rather than a TRAIGA requirement: the NIST AI RMF work supports both regimes, so you can run one governance program instead of two.

None of this is static. Expect the Attorney General's office to refine its enforcement priorities over the next several cycles, and treat your AI inventory and documentation as living records you revisit as your systems and the guidance evolve.