Managing Attorney
The vendor demo went well, the chatbot is live on your website, and your operations team just rolled out an AI-powered tool that screens job applicants. You probably did not think of any of it as a legal event. As of January 1, 2026, Texas does. The Texas Responsible Artificial Intelligence Governance Act (TRAIGA) imposes new obligations and prohibitions on businesses that develop, deploy, or sell AI systems used by Texas residents, backed by civil penalties up to $200,000 per violation. A Houston business law attorney at Capstone Legal Strategies can help you assess where your AI use intersects with the law and document compliance.
What Is TRAIGA, and When Did It Take Effect?
TRAIGA is the Texas Responsible Artificial Intelligence Governance Act, signed by Governor Abbott on June 22, 2025, and effective January 1, 2026. The statute is codified at Texas Business & Commerce Code Chapters 551 through 554, making Texas among the first states to enact a comprehensive AI governance law.
The law applies broadly. A business is covered if it develops or deploys an AI system in Texas, advertises or conducts business in Texas, or offers products or services used by Texas residents. That last category is wide enough to capture out-of-state companies whose websites and apps reach Texans.
Who Is Subject to TRAIGA?
TRAIGA defines an ‘artificial intelligence system’ as any machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments. The ‘explicit or implicit objective’ language is significant. It means the law captures AI functionality embedded in a product even when the vendor does not advertise or intend it as an AI feature. The definition captures not only generative AI tools but also recommendation engines, automated decision systems, screening tools, and many embedded analytics features.
Three categories of business are covered:
- Companies that develop or deploy AI systems in Texas
- Companies that promote, advertise, or conduct business in Texas
- Companies whose products or services are used by Texas residents
Private businesses have no general AI disclosure obligation under TRAIGA. Government agencies, however, are required to notify consumers when they are interacting with an AI system. Healthcare providers must separately disclose their use of AI to patients not later than the date service is first provided, or as soon as reasonably possible in emergencies.
What Does TRAIGA Prohibit?
TRAIGA’s private-sector prohibitions focus on intentional misconduct rather than disparate-impact liability. The statute prohibits the development or deployment of AI systems with the intent to:
- Manipulate human behavior to encourage self-harm, harm to others, or criminal activity
- Unlawfully discriminate against a protected class under federal or state law
- Develop or deploy an AI system with the sole intent for it to infringe, restrict, or otherwise impair an individual’s rights guaranteed under the United States Constitution
- Develop or distribute an AI system with the sole intent of producing, aiding in producing, or distributing visual child sexual abuse material or sexually explicit deepfake videos or images in violation of applicable Texas Penal Code provisions
- Intentionally develop or distribute an AI system capable of engaging in text-based conversations that simulate or describe sexual conduct while impersonating or imitating a child under 18
Disparate outcomes alone do not trigger liability, the Attorney General must show intent. That standard reduces some risk but does not eliminate the need for documentation, since proving lack of intent in an enforcement action is far easier when the company has records of its design decisions, testing protocols, and intended-use policies.
How Is TRAIGA Enforced, and What Are the Penalties?
The Texas Attorney General has exclusive enforcement authority. There is no private right of action, and no class-action exposure under TRAIGA itself.
Before pursuing penalties, the Attorney General must provide written notice and a 60-day cure period. If the violation is curable and is cured within that window, no penalty applies. If it is not, civil penalties scale by severity:
- Curable violations not cured: $10,000 to $12,000 per violation
- Uncurable violations: $80,000 to $200,000 per violation
- Continuing violations: $2,000 to $40,000 per day
The Attorney General may also seek injunctive relief and recover attorney’s fees and investigative costs. For licensed professionals, the relevant licensing agency may impose additional sanctions, including license suspension or revocation, plus a separate monetary penalty up to $100,000.
What Counts as a Safe Harbor Under TRAIGA?
The statute provides several safe harbors. A business may defend against an enforcement action by showing that it:
- Discovered the violation through internal testing, including adversarial or red-team testing
- Substantially complied with the NIST AI Risk Management Framework or another nationally or internationally recognized AI risk framework
- Followed published guidance from a state agency
These safe harbors work only if the company can document them. That means written AI policies, retained testing records, and clear evidence that the framework was followed in design and deployment.
How Does TRAIGA Interact with Other Texas Laws?
TRAIGA does not exist in a vacuum. The Texas Data Privacy and Security Act, codified at Business & Commerce Code Chapter 541 and effective July 1, 2024, governs the collection and processing of personal data by businesses operating in Texas. Many AI systems train on or process exactly the kind of personal data the TDPSA covers, which means an AI deployment can implicate both laws at once.
TRAIGA amends Section 503.001 by exempting biometric identifiers processed solely for AI training purposes from the statute’s consent requirements, while providing that any subsequent commercial use of that data reactivates Section 503.001’s possession, destruction, and penalty provisions in full. For most Texas businesses, AI compliance overlaps with privacy, employment, biometric, and contract law in ways that need to be coordinated.
What Should Your Business Do Now?
A practical compliance starting point includes:
- Inventory your AI systems. Identify every AI tool your business develops, deploys, licenses, or relies on through a vendor, including embedded features in CRM, HR, and analytics platforms.
- Map use cases against TRAIGA’s prohibitions. Anything touching hiring, lending, advertising, content moderation, or biometric identification deserves close review.
- Adopt a written AI use policy documenting intended uses, prohibited uses, vendor diligence, and human-review checkpoints.
- Align with NIST or another recognized framework. Substantial compliance is a statutory defense, but only if it is documented.
- Update vendor contracts to push diligence and compliance representations to AI vendors and processors.
- Coordinate with privacy and employment compliance. TDPSA, biometric, and antidiscrimination obligations all interact with TRAIGA.
Due diligence now can avoid costly civil penalties later.
Talk to a Houston Business Attorney About AI Compliance
TRAIGA is in effect, and the Texas Attorney General has authority to investigate and impose meaningful civil penalties. Capstone Legal Strategies, PLLC works with Houston-area business owners to build the policies, contracts, and documentation that support compliance and reduce regulatory risk. Contact our office to schedule a consultation.