Texas AI Law FAQ

TRAIGA (officially HB 149) is the Texas Responsible AI Governance Act, signed into law and effective January 1, 2026. It establishes an intent-based regulatory framework for artificial intelligence, defining prohibited AI practices, requiring NIST AI Risk Management Framework alignment for safe harbor defense, and imposing penalties up to $200,000 per violation enforceable by the Texas Attorney General.

TRAIGA took effect on January 1, 2026. All AI deployers and developers operating in Texas must comply now. There is no grace period for existing AI systems — any system currently operating in Texas must meet TRAIGA requirements or risk enforcement action by the Texas Attorney General.

The key difference is the regulatory model. Colorado SB 24-205 uses an impact-based (risk-based) approach requiring mandatory bias audits and impact assessments for any "high-risk" AI system. TRAIGA uses an intent-based approach focusing on prohibiting specific harmful AI uses like manipulation, discrimination, and constitutional infringement. TRAIGA also explicitly recognizes NIST AI RMF compliance as an affirmative defense, which Colorado does not.

TRAIGA applies to AI "deployers" (organizations using AI systems) and "developers" (organizations creating AI systems) that operate in Texas or whose AI systems affect Texas residents. This includes private businesses, state agencies, local governments, healthcare providers, school districts, and any entity using AI for consumer-facing decisions, employment, lending, insurance, education, or healthcare.

Intent-based regulation means TRAIGA focuses on the purpose and intended use of AI systems rather than just their risk classification. The law prohibits specific intents — for example, using AI with the intent to manipulate someone into self-harm, or using AI with the sole intent to discriminate against a protected class. This is different from risk-based approaches that focus on the potential outcomes regardless of intent.

Yes. TRAIGA applies to any entity whose AI systems affect Texas residents, regardless of where the company is headquartered. If your AI makes decisions about, interacts with, or processes data of people in Texas, you are subject to TRAIGA requirements.

TRAIGA prohibits six categories of AI use: (1) AI designed to incite self-harm, harm to others, or criminal activity; (2) AI used with the sole intent to discriminate against protected classes; (3) AI used with the sole intent to infringe constitutional rights; (4) AI that generates child sexual abuse material (CSAM); (5) Government use of AI for social scoring systems; and (6) Government use of biometric identification without informed consent.

Social scoring refers to government AI systems that classify, rank, or make decisions about individuals based on an aggregate behavioral or social profile derived from multiple data sources. This is specifically prohibited for state and local government entities under TRAIGA. Private sector reputation or credit scoring systems are not automatically considered social scoring.

Private sector entities can use biometric AI, but must comply with existing Texas biometric privacy laws (CUBI — Texas Business & Commerce Code Chapter 503). Government entities face stricter rules under TRAIGA: they cannot use AI for biometric identification of individuals without informed consent, with limited exceptions for law enforcement under certain circumstances.

TRAIGA does not blanket-prohibit AI in hiring, but employment AI falls under its intent-based framework. If your AI hiring tool operates with the sole intent to discriminate against a protected class, it violates TRAIGA. Beyond intent, you should still ensure your employment AI systems comply with federal employment discrimination laws (Title VII, ADA, ADEA) and Texas Labor Code requirements.

TXAIMS provides a structured Prohibited Practice Screening questionnaire for each AI system. This documents the intended purpose, evaluates each of the six prohibited practice categories, records the screening results, and generates audit-ready evidence. Combined with NIST AI RMF alignment documentation, this creates a strong defense demonstrating your AI system was deployed responsibly and without prohibited intent.

TRAIGA explicitly recognizes that compliance with the NIST AI Risk Management Framework (AI RMF) constitutes an affirmative defense against enforcement actions. If the Texas AG alleges a TRAIGA violation, demonstrating documented NIST AI RMF alignment for the AI system in question provides a legal safe harbor. This makes NIST alignment not just best practice, but a concrete legal protection.

The NIST AI RMF is organized around four core functions: Govern (policies, roles, accountability), Map (context identification, risk categorization), Measure (metrics, testing, monitoring), and Manage (risk mitigation, response procedures). TXAIMS provides a structured dashboard that maps your AI systems to each function, tracks completion, and generates the documentation needed to assert the affirmative defense.

NIST AI RMF alignment is not mandatory — it is an affirmative defense. However, given that it provides explicit legal protection under TRAIGA, treating it as a practical requirement is strongly recommended. Organizations without NIST alignment lack this safe harbor defense and face the full $200,000 per violation penalty structure without it.

Using TXAIMS, most organizations can achieve basic NIST alignment documentation for a single AI system within 2-4 weeks. Full comprehensive alignment across multiple systems typically takes 1-3 months depending on organizational complexity. TXAIMS accelerates this by pre-populating assessment templates, providing guided questionnaires, and auto-generating documentation.

TXAIMS is a compliance management platform, not a certifying body. We provide the tools, templates, guided assessments, and documentation to build and maintain your NIST AI RMF alignment. The platform generates comprehensive evidence packages that demonstrate alignment, but formal certification (if required by your industry or contracts) would come from an accredited assessor.

SB 1964 establishes the AI Ethics Code for Texas government entities. It requires: (1) AI system inventory — every AI tool used must be catalogued; (2) compliance with a government-specific ethics code; (3) heightened scrutiny assessments for AI in sensitive decisions; (4) public disclosure of AI use in consumer-facing interactions; (5) prohibition on government social scoring; and (6) prohibition on government biometric identification without consent.

Yes. SB 1964 applies to all levels of Texas government: state agencies, counties, municipalities, school districts, and special districts. Any public entity using AI must comply with the ethics code, maintain an AI inventory, and meet the disclosure and assessment requirements.

HB 3512 mandates annual AI training for all Texas state and local government employees who use computers for 25% or more of their job duties. Training programs must be certified by the Texas Department of Information Resources (DIR). TXAIMS tracks training completion, certification status, and expiration dates across your entire workforce.

TXAIMS provides a centralized AI System Registry where government entities can catalogue every AI tool in use. Each entry captures the system name, purpose, deployer duties, risk classification, and applicable statutes. The registry auto-generates the formatted inventory report required by SB 1964 and tracks when systems are added, modified, or retired.

SB 1188 requires all healthcare providers in Texas to disclose to patients when AI is used in their diagnosis, treatment, or healthcare services. Disclosure must be made before or at the time the AI-generated information is used in the patient's care. The disclosure must be in plain language and cannot use dark patterns to obscure the AI's role.

SB 1188 applies to AI used in clinical settings where the output influences patient care decisions. This includes diagnostic AI (imaging, pathology, symptom assessment), treatment recommendation systems, clinical decision support, and any AI that generates information used by a healthcare provider in caring for a patient. It does not apply to back-office scheduling or billing AI.

A compliant disclosure should clearly state: (1) that AI technology is being used, (2) the specific role the AI plays in the patient's care (diagnosis, treatment recommendation, etc.), (3) that the AI output is reviewed by a qualified healthcare professional, and (4) the patient's right to request human-only care if available. TXAIMS provides pre-built, SB 1188-compliant disclosure templates you can customize.

SB 1188 requires disclosure but does not explicitly mandate an opt-out right. However, best practice — and what TXAIMS recommends — is to inform patients of their right to request human-only evaluation where feasible. This reduces legal risk and aligns with patient autonomy principles.

The Texas Attorney General can impose civil penalties of up to $200,000 per violation of TRAIGA. This is enforced through AG civil investigative demands and enforcement actions. Note: this is per violation, meaning each prohibited practice identified in each AI system could constitute a separate violation.

No. TRAIGA does not create a private right of action. Only the Texas Attorney General has enforcement authority under the statute. Individual consumers cannot sue directly under TRAIGA, though they may still have claims under other Texas consumer protection laws (DTPA) or federal statutes.

Before the AG can impose penalties, TRAIGA provides a 60-day cure period. When the AG identifies a violation, they must notify the deployer and give them 60 days to cure (fix) the violation. If the violation is cured within 60 days with documented evidence of remediation, penalties may be reduced or avoided. TXAIMS automates this entire cure response workflow.

If you fail to cure the violation within the 60-day window, the AG can proceed with full enforcement, including the $200,000 per violation penalty. The AG can also seek injunctive relief to prevent continued use of the violating AI system. Having TXAIMS documentation demonstrating a good-faith cure attempt can still mitigate penalties.

If the AG alleges a TRAIGA violation, you can assert the NIST AI RMF affirmative defense by presenting documented evidence that the AI system in question was developed and deployed in alignment with the NIST AI RMF. TXAIMS generates this documentation automatically — your NIST alignment scores, assessment history, evidence bundles, and remediation records form the defense package.

An evidence bundle is a comprehensive, audience-specific compliance report generated by TXAIMS. It consolidates your compliance data — including system registry, prohibited practice screening results, NIST alignment scores, disclosure evidence, training records, cure history, and remediation status — into a single package tailored for a specific audience (AG, procurement, customers, board, insurance).

TXAIMS generates bundles for six audience types: (1) Attorney General — for investigative demand or cure documentation; (2) Procurement — for government vendor compliance proof; (3) Customer Due Diligence — for enterprise customers evaluating your AI; (4) Board Governance — for investor and board reporting; (5) Insurance Audit — for underwriting and annual audits; and (6) Custom — for any audience you define.

TXAIMS automatically marks bundles as "stale" when underlying data changes (new screening, updated NIST score, new incident). We recommend regenerating quarterly for standing audiences (board, insurance) and on-demand for responsive audiences (AG, procurement). Enterprise plans include auto-regeneration on a schedule you define.

TRAIGA establishes a regulatory sandbox administered by the Texas Department of Information Resources (DIR). The sandbox allows qualifying organizations to test innovative AI systems in a controlled environment with modified regulatory requirements for up to 36 months. Participants must submit quarterly reports to DIR detailing performance metrics, risk mitigation, and stakeholder feedback.

Any organization deploying or developing AI in Texas can apply to the DIR for sandbox participation. The application must demonstrate that the AI system provides measurable benefit and that the organization will comply with sandbox reporting requirements. TXAIMS Enterprise plans include sandbox application assistance and quarterly report generation.

TXAIMS uses a guided onboarding wizard that walks you through four steps: (1) Organization profile — tell us who you are and your deployer type; (2) Statute mapping — we determine which laws apply (HB 149, SB 1964, SB 1188, HB 3512); (3) Gap analysis — upload existing documentation and we identify what you need; (4) Roadmap generation — we create a prioritized task list with deadlines. Most organizations complete onboarding in under 30 minutes.

Yes. TXAIMS offers a 14-day free trial with access to 1 AI system, prohibited practice screening, basic NIST alignment tracking, and your Compliance Health Score. No credit card required. Upgrade at any time to unlock evidence bundles, the full NIST dashboard, and more systems.

Starter ($299/mo) is ideal for small businesses with 1-3 AI systems needing core TRAIGA screening and cure prep. Professional ($699/mo) suits mid-market companies needing evidence bundles, NIST dashboard, healthcare disclosures, and remediation. Enterprise ($1,499/mo) is for organizations with many AI systems, government contracts, or needing API access, sandbox assistance, and dedicated support.

Yes. TXAIMS supports importing AI system registries and assessment data via CSV upload and API. Professional and Enterprise plans include full API access for integration with existing GRC tools, document management systems, and internal databases.

No. TXAIMS is a compliance management and documentation platform. We provide software tools for tracking, documenting, and generating evidence of TRAIGA compliance. All content is informational. You should consult qualified Texas legal counsel for specific legal advice about your TRAIGA obligations. Many Texas law firms use TXAIMS alongside their advisory services.

TXAIMS uses AES-256 encryption at rest, TLS 1.3 in transit, and is hosted on enterprise-grade infrastructure with SOC 2 controls. Your compliance data is yours — we never sell or share it. Each organization gets isolated data storage, role-based access control, and complete audit logging of all platform activity.