TRAIGA, the Texas Responsible AI Governance Act, in plain English. The final law (HB 149) is much narrower than the original bill, but the obligations are
By Matthew Bertram · President of ModalPoint, CEO of EWR Digital · 2026
The Texas Responsible AI Governance Act (TRAIGA) became law on June 22, 2025, and took effect January 1, 2026. If you have been waiting for a heavy compliance regime to land in Texas like the one in the European Union, the news is unexpectedly good: the version that passed is much narrower than the one that was originally proposed. But narrower does not mean nothing. There are real obligations, real penalties, and real reasons for Texas business owners to know what they actually owe.
This guide is for Texas business owners, executives, and board members who are AI-curious but have not had time to read the statute. Plain English, real examples, and a clear answer to the question most owners are actually asking: do I have to do anything?
That is the gist. The detail follows.
The original bill (HB 1709) proposed a structure similar to the European Union AI Act: risk-based tiering, impact assessments, formal consequential-decision categories covering employment, lending, housing, healthcare, and other sectors. The business community in Texas pushed back hard. The legislature listened. The version that ultimately passed (HB 149) eliminated most of the broad sectoral compliance regime for private employers and focused on a narrower set of clearly harmful intentional uses.
That outcome matters for two reasons. First, if you read commentary on TRAIGA from early 2025, you may have read about obligations that did not survive into the final law. Confirm that any TRAIGA guide you are using describes HB 149 (the law that passed) and not HB 1709 (the original bill). Second, TRAIGA in its final form is a workable law for businesses operating in good faith. The compliance posture that satisfies it is meaningfully lighter than what the original draft would have required.
Three examples by industry. Pick the one closest to home.
A multi-location medical practice in Texas adds AI to its patient portal. The AI drafts replies to patient questions for the doctors to review and send. Under TRAIGA, the practice is not breaking the law just by using AI. There is no requirement under TRAIGA to file impact assessments or get patient consent forms specifically for AI use (HIPAA and other federal laws still apply, of course). The TRAIGA exposure shows up only if the practice uses the AI with intent to unlawfully discriminate, or in one of the specifically prohibited intentional categories. For a normal medical practice using AI to improve patient communication, the operational answer is to maintain a basic record of what the AI does and how doctors review it. Not heavy.
A Texas manufacturer uses an AI-powered platform to screen contractor applications. Under the original HB 1709, this would have triggered formal impact assessments and disclosure obligations. Under the law that actually passed, the manufacturer’s exposure is narrower: do not use the AI with intent to unlawfully discriminate against a protected class, and be ready to respond if the AG opens an inquiry. Federal employment law (Title VII, ECOA) still applies and may impose disparate-impact obligations regardless of intent. TRAIGA itself focuses on intent.
A retail electricity provider in Texas uses an AI chatbot for customer billing questions. Under the final TRAIGA, no specific disclosure requirement attaches to chatbots in the consumer-facing sector for private companies. The risk surface is the prohibited categories list and the intent-based discrimination prohibition. Most ordinary customer-service AI does not trigger TRAIGA, but operators should still maintain the inventory and oversight documentation that any state AG inquiry would request.
The pattern is the same across industries. Most companies using AI in normal business ways are not the target of TRAIGA. The law is targeted at intentional bad uses. But “you are not the target” only holds up if you can demonstrate it.
The final law’s prohibitions read like a short list of clearly bad-faith uses. None of these are likely to apply to a normal operating business. Read the list to confirm:
If your AI use is not in one of those categories and you are not deploying it to discriminate intentionally, your TRAIGA exposure is minimal. The companies that find themselves answering AG inquiries will be either the bad actors the law was designed for, or businesses that cannot demonstrate what their AI is doing when asked.
If you run a Texas industry association, a chamber, a medical society, or a state-level executive group, your members are exactly the audience this material is built for. The story is not “Texas just dropped a heavy compliance regime on you.” The story is “Texas chose a narrower path than Europe, here is what you actually need to do, and here is what you can stop worrying about.”
That is a more interesting talk than most AI-regulation speakers will give your members. If you are programming an upcoming event for a Texas business audience, here is the speaking page. Back to the practical guidance.
Even with the narrower final law, smart operators are doing baseline AI hygiene work this year. Not because TRAIGA forces it, but because federal law, plaintiffs’ lawyers, insurance carriers, and the next state to regulate AI all assume it.
Walk through every department. Identify what software your team uses and which features are AI-powered. Do not skip vendor-provided AI features inside CRM, HR, accounting, marketing, customer service, predictive maintenance, and cybersecurity. The first artifact is the inventory.
For each AI system, write a short description: what it does, who is responsible for its use, what kind of decisions it supports or makes, and how a human is involved. This documentation is not required by TRAIGA in the way the original bill would have required it, but it is exactly what an AG inquiry would ask for, and it is exactly what a federal civil rights claim would request.
Read the four prohibited categories above. Confirm none apply to your business. If any do, redesign or retire those uses.
If you use vendor-provided AI features, confirm your contract gives you a representation that the vendor is not using their AI with intent to discriminate or in a prohibited category. Most enterprise vendors will provide this representation. If yours will not, that itself is information.
Add AI governance as a recurring agenda item. The narrower TRAIGA does not eliminate board-level oversight responsibility. It just makes the workload lighter than under the original bill. Document the briefing in your minutes.
That is most of what a Texas business needs to do in 2026. It is not nothing. It is also not the heavy regime the original bill would have required.
If your team can answer those four questions in writing today, you are in better shape than most Texas businesses. If they cannot, that is the conversation to have this quarter.
Primary sources: the Texas Legislature HB 149 bill history (capitol.texas.gov) and the Texas Attorney General’s office, which administers TRAIGA enforcement.
The next sections are for general counsel, compliance officers, and AI governance professionals who need the formal statutory framing. Skip ahead if you do not.
TRAIGA in its enacted form is House Bill 149 of the 89th Texas Legislature, signed into law June 22, 2025, effective January 1, 2026. The original bill (HB 1709) proposed broader sectoral coverage, formal risk tiering, mandatory impact assessments, and disclosure requirements. The final version eliminated most private-sector compliance obligations from HB 1709 and shifted to an intent-based prohibition framework with limited categorical bans.
Civil penalties are tiered: $10,000 to $12,000 per curable violation, $80,000 to $200,000 per uncurable violation, and $2,000 to $40,000 per day for continuing violations. A 60-day cure period applies to curable violations after notice from the Texas Attorney General. Licensed professionals face additional fines up to $100,000 with the AG’s recommendation, plus possible license suspension or revocation by the relevant state agency.
TRAIGA reaches AI developers and deployers conducting business in Texas or whose systems are used by Texas residents. Limited exemptions exist; the law also creates a regulatory sandbox program for participating businesses to test AI systems under modified compliance terms. Sandbox details are administered through a state oversight body created by the law.
When the Texas AG receives a complaint, the agency may request information about the AI system’s purpose, intended use, deployment context, training data, inputs and outputs, performance metrics, any risk or impact assessments conducted, known limitations, and post-deployment monitoring. Companies that have not maintained this kind of documentation will be producing it under deadline rather than from existing records.
TRAIGA does not preempt federal civil rights statutes. AI uses in employment, lending, housing, healthcare, and other federally regulated domains remain subject to Title VII, ECOA, FHA, and related federal law, all of which can impose disparate-impact obligations regardless of intent. The intent-based framing in TRAIGA is narrower than the federal disparate-impact framework, which means a Texas employer can technically satisfy TRAIGA’s intent prong while still violating federal law on disparate-impact grounds.
TRAIGA is one of several state-level AI laws in motion. Colorado’s AI Act takes effect February 1, 2026, with a broader consequential-decision framework closer to the original HB 1709 vision. California, New York, and other states have similar bills moving. Operators with multi-state exposure should track each statute separately rather than assume Texas’s narrower approach generalizes.
TRAIGA sits alongside the federal NIST AI RMF, the international ISO 42001 standard, the EU AI Act for businesses with European exposure, and other state-level laws. These frameworks overlap. None substitutes for any other.
For the broader four-standard treatment, see the 2026 AI Governance Framework implementation guide. For the federal piece specifically, see the NIST AI RMF implementation guide for boards and operators. For U.S. companies with EU customers, see EU AI Act: What U.S. Businesses Actually Need to Know in 2026.
The companion question most operators are not yet asking: how AI engines describe your company is also a governance surface. AI governance and AI visibility are a two-layer control system, and the visibility layer becomes evidence in the same regulatory inquiries.
Most Texas business audiences are still catching up to TRAIGA. Many are working from outdated commentary on the original bill. Audiences want a credible voice in the room to translate the law that actually passed into specific guidance for their industry, and to clarify what they no longer need to worry about.
That is the talk I deliver. Houston-based, working with Texas businesses across C&I, medical, and energy on practical AI inventory and oversight. Plain English. Real industry examples. Honest about what the law actually requires, which is less than most operators feared and more than zero.
Matt Bertram is the founder of EWR Digital (Houston), president of ModalPoint (an AI governance advisory holding the DIG framework), a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), an IAPP member and AIGP candidate (see published commentary and institutional affiliations), a Goldman Sachs 10,000 Small Businesses graduate (Houston Cohort, April 2026), and the moderator of record on the Ericsson Enterprise Wireless AI panel at the Offshore Technology Conference 2026 with co-panelists from Bechtel and Rockwell Automation. Texas A&M, Class of 2006.
This guide describes TRAIGA as enacted (House Bill 149, signed June 22, 2025, effective January 1, 2026). Statutory text is the controlling authority; nothing on this page is legal advice. Texas businesses should consult qualified counsel for any specific compliance question.
TRAIGA’s rebuttable presumption of reasonable care under §552.105 depends on documented standards your deployer can demonstrate at decision time. For the runtime mechanism - authority record, awareness statement, decision capture, tamper-evident log - see Decision Integrity as the substantial-compliance evidence layer.
Matthew brings this to mainstage keynotes and closed-door board briefings. Check availability → · More insights