Texas’s AI law is already in force — and it’s narrower than you feared.

While much of the country argued about AI bills that may take effect in 2027, Texas quietly turned one on. The Texas Responsible Artificial Intelligence Governance Act — TRAIGA, House Bill 149 — was signed June 22, 2025, and has been in force since January 1, 2026. The good news: it is far narrower than the Colorado-style law many businesses braced for. The catch: complying still assumes you can describe the AI you run.

Who it reaches

TRAIGA’s reach is broad even if its duties are not. It applies to entities that develop or deploy AI in Texas, promote or conduct business in Texas, or offer products or services used by Texas residents. If you have Texas customers and any AI in the loop, assume you are in scope and work backward from there — do not assume you are exempt because you are not headquartered in the state.

That last point trips people up. A common reaction to a state AI law is “we’re not in Texas, so it doesn’t apply.” TRAIGA was written to close that gap. The trigger is not where your office sits; it is whether Texas residents touch your product. For a national SaaS company, an e-commerce brand, a lender, or a staffing platform, that condition is almost always met. The practical question is not “does TRAIGA apply to us?” but “which of our AI uses does it actually constrain?” — and answering that requires knowing what AI you run in the first place.

What it actually prohibits — and what it doesn’t

This is where TRAIGA diverges sharply from Colorado. It was deliberately pared back from earlier, far more expansive drafts. It does not impose a Colorado-style “high-risk system” regime with a standalone duty to prevent algorithmic discrimination. Instead, TRAIGA is intent-based: it prohibits developing or deploying AI with the intent to do specific things. You cannot build or deploy a system intending to:

• Unlawfully discriminate against a protected class.
• Incite or encourage self-harm or criminal activity.
• Produce child sexual abuse material, unlawful deepfakes, or sexual content impersonating a child.
• Infringe constitutional rights.

That intent requirement matters. A disparate-impact outcome alone — the heart of Colorado’s and Illinois’s anti-discrimination duties — is not, on its own, the trigger here. That makes the headline duties narrower than feared for most private businesses. But “narrower” is not “nothing,” and the rest of the statute carries real obligations.

It also creates a subtler exposure. Intent is rarely proven by a confession; it is inferred from circumstances — what you knew, what you ignored, and what you documented. An organization that deployed a tool, saw warning signs of a prohibited use, and kept no record of how it responded is in a weaker position than one that can show a deliberate, documented risk process. In other words, the intent standard quietly rewards the same disciplined documentation that the rest of this briefing keeps returning to. The narrower duty does not eliminate the need for evidence; it changes what the evidence has to prove.

The government and healthcare rules are sharper

TRAIGA reserves its firmest disclosure and prohibition rules for the public sector and for healthcare:

• Government social scoring is banned. State entities cannot use AI to score residents in the way that phrase implies.
• Biometric identification is restricted. Government entities may not use AI to identify individuals from publicly available sources without consent.
• Disclosure to consumers. Government entities must tell consumers when they are interacting with an AI system.
• Healthcare disclosure. Healthcare providers must disclose to patients when AI is used in their treatment.

If you contract with Texas agencies or operate in healthcare, these are not optional nuances — they are the parts of TRAIGA most likely to touch you directly. A vendor selling decision-support software to a state agency inherits the agency’s disclosure expectations in practice, even if the statutory duty names the government entity. A clinic rolling out an AI scribe or triage tool needs a patient-facing disclosure it may not have today. These obligations are concrete, checkable, and the kind of thing a regulator can confirm with a single screenshot — which makes them the easiest place to be caught flat-footed.

How it’s enforced

Enforcement sits exclusively with the Texas Attorney General. There is no private right of action — individuals cannot sue you under TRAIGA. Before acting, the AG must issue a 60-day cure notice, giving you a window to fix the problem. Penalties are tiered and can reach the high five- and six-figure range, with per-day amounts for continuing violations. TRAIGA also preempts local and city AI ordinances, so you are dealing with one statewide rule rather than a patchwork of municipal ones. The law additionally creates a regulatory sandbox program and a Texas AI Council.

The angle most businesses miss: alignment is rewarded

TRAIGA explicitly favors organizations that align with recognized risk frameworks — notably the NIST AI Risk Management Framework. In practice, demonstrating that you run a disciplined program — you know what you run, you manage its risk, you document foreseeable harms — is the same posture that helps you show you did not act with prohibited intent. That is not a coincidence. The intent-based duties and the disclosure rules both quietly assume one thing: that you can describe your AI systems. And you cannot describe what you have never inventoried.

This is the quiet efficiency of building to a framework instead of to a single statute. The same NIST-aligned inventory, risk register, and harm documentation that earn favor under TRAIGA also map onto Colorado’s consequential-decision regime, Illinois’s employment rules, and the EU AI Act’s expectations. You are not building five compliance programs; you are building one disciplined foundation and pointing it at whichever jurisdiction asks. TRAIGA happens to be the one that is already live and already says, in effect, that this foundation is what good looks like.

TRAIGA is the calmer cousin of the AI laws making headlines — intent-based, AG-enforced, no private lawsuits. But calm is not the same as absent. The work it asks for is the same foundation every serious framework asks for, and it is already live. (See our companion briefing on NIST AI RMF as a safe harbor.)

This briefing is general information from Sentinel Assurance Group, not legal advice. Regulatory dates and requirements change — we maintain these briefings, but verify against primary sources and counsel before acting. Last reviewed June 11, 2026.

See how a Gap Assessment maps your exposure →