What Is TRAIGA? The Texas AI Law Explained in Plain English

As of January 1, 2026, the Texas Responsible AI Governance Act (TRAIGA) — officially HB 149 — is law. If you deploy AI systems that affect Texans, this applies to you. Not eventually. Now.

Here's what you actually need to know, stripped of the legal padding.

What TRAIGA Does (and Doesn't Do)

TRAIGA is intent-based regulation. Unlike Colorado's SB 24-205, which focuses on the impact of AI decisions, Texas cares about intent. The law doesn't require mandatory annual audits for private companies. Instead, it defines a list of prohibited practices — things your AI systems cannot be designed or deployed to do.

Think of it as a bright-line test: if your AI was built or used with the intent to do something on the prohibited list, you're in violation. No risk assessment required to trigger liability.

Who TRAIGA Applies To

Every entity deploying AI systems that interact with, affect, or make decisions about Texas residents. That includes:

• Private companies — any size, any industry, if you serve Texans
• State agencies — additional obligations under SB 1964 (ethics code, AI inventory) and HB 3512 (annual AI training)
• Healthcare providers — additional patient disclosure requirements under SB 1188
• Local governments and school districts — same government obligations as state agencies

Insurance companies and certain financial institutions have partial exemptions, but they're narrower than you might expect. If you're using AI for customer-facing decisions, you likely still need to comply.

The 7 Prohibited Practices

TRAIGA Section 2 prohibits AI systems designed or deployed with intent to:

• Use subliminal or manipulative techniques to distort behavior
• Exploit vulnerabilities (age, disability, economic status)
• Conduct social scoring that leads to detrimental treatment
• Use real-time biometric identification in public spaces (with narrow law enforcement exceptions)
• Discriminate in employment, housing, credit, or public accommodations
• Generate deceptive content without disclosure
• Surveil without notice or consent

The NIST Safe Harbor

Here's the strategically important part: TRAIGA explicitly recognizes compliance with the NIST AI Risk Management Framework as an affirmative defense. If you can demonstrate alignment with NIST AI RMF across its four functions (Govern, Map, Measure, Manage), you have a legal shield in enforcement proceedings.

This isn't optional goodwill. It's a statutory defense mechanism. Building your NIST alignment before an investigation is the single highest-ROI compliance activity you can do.

Penalties

Up to $200,000 per violation, enforced exclusively by the Texas Attorney General. There's no private right of action (individuals can't sue), but the AG has broad investigative authority. You get a 60-day cure period after notice — but only if you can demonstrate good-faith remediation.

What to Do Right Now

1. Inventory your AI systems — every model, agent, and automated decision tool
2. Screen against prohibited practices — document the intent behind each system
3. Start NIST AI RMF alignment — build the affirmative defense now
4. Prepare a cure response plan — don't wait for the AG notice to figure out your playbook
5. Generate evidence bundles — auditable proof of compliance, ready for regulators

TXAIMS automates every step — prohibited practice screening, NIST alignment scoring, evidence bundle generation, and cure workflow management. The law is live. Your compliance shouldn't be manual.

Dive Deeper

• The Complete Guide to TRAIGA (HB 149) — 4,000-word section-by-section breakdown
• The 7 Prohibited AI Practices — each prohibition with real-world examples
• NIST AI RMF: Your Affirmative Defense — building the safe harbor
• The 60-Day Cure Period Playbook — your AG response strategy
• TRAIGA Penalties and Enforcement — the enforcement details
• Texas vs Colorado AI Law Comparison — how TRAIGA differs from other state AI laws
• TRAIGA FAQ: 40+ Questions Answered