Texas TRAIGA (HB 149): What the New AI Law Actually Requires

On June 22, 2025, Governor Greg Abbott signed HB 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), into law. It takes effect January 1, 2026. Texas now joins Colorado as one of the few states with a binding, AI-specific governance statute on the books — but the version that passed is materially narrower than the bill that was first introduced, and the differences tell you something about where the politically durable line on AI regulation actually sits.

This is what TRAIGA requires, what it dropped on the way to enactment, and how a company already navigating Colorado’s law should think about the divergence.

The bill that passed is not the bill that was introduced

Early drafts of TRAIGA tracked the Colorado model: a broad obligation framework aimed at “high-risk” AI systems making consequential decisions, with developer and deployer duties and — critically — a focus on algorithmic disparate impact, the unintentional discriminatory effect of a system regardless of intent. That version would have imposed impact-assessment and risk-management duties across a wide swath of commercial AI deployment.

The enacted version is pared back. The most significant change is that TRAIGA’s discrimination provision turns on intent: the law prohibits developing or deploying an AI system intentionally designed to unlawfully discriminate against a protected class. Disparate-impact liability — discrimination established by effect rather than intent — did not survive into the final text. That is a meaningful narrowing, because most algorithmic-discrimination harm is precisely the unintended-effect kind that an intent standard does not reach.

The result is a statute built primarily around intent-based prohibitions plus a set of obligations that fall hardest on government actors, rather than the broad private-sector risk-management regime of the original draft.

What TRAIGA prohibits

The core of the enacted law is a set of prohibited uses. TRAIGA bars developing or deploying an AI system that is intentionally designed to:

• Harm a person in a way that would be unlawful;
• Engage in or facilitate criminal activity;
• Infringe, restrict, or otherwise impair a person’s constitutional or other legal rights;
• Unlawfully discriminate against a protected class (with carve-outs where insurers and financial institutions are separately regulated for the same conduct); and
• Produce or distribute certain unlawful sexually explicit material, including child sexual abuse material.

The “intentionally designed to” framing is the operative limiter throughout. It targets purpose-built misuse rather than emergent or unintended harm — closer to the taxonomy of misuse than to a broad duty of care.

The obligations that fall on government — and the disclosures

TRAIGA imposes its most concrete affirmative duties on governmental entities:

• AI-interaction disclosure. A government agency must clearly disclose to a consumer — a Texas resident acting in an individual or household capacity, not in a commercial or employment context — that they are interacting with an AI system, before or at the point of the interaction.
• No government “social scoring.” Government use of AI to assign a social score that could lead to detrimental or unfavorable treatment is prohibited, an explicit borrowing from the EU AI Act’s prohibited-practices vocabulary.
• Biometric constraints. Restrictions apply to using AI to uniquely identify individuals via biometric data captured from publicly available sources without consent.

A narrower disclosure duty reaches the private sector in healthcare: providers must disclose AI use to a patient or the patient’s representative before or at the time of service, except in emergencies, where disclosure must follow as soon as reasonably practicable.

What is notably absent is a broad private-sector mandate to run bias audits or impact assessments on commercial AI. That is the single largest contrast with Colorado.

Enforcement: AG-only, with a cure period

TRAIGA vests enforcement authority exclusively in the Texas Attorney General. There is no private right of action — individuals cannot sue under the statute. Before pursuing an enforcement action, the AG must provide notice and allow a 60-day cure period for violations that are curable.

The civil penalty structure is tiered:

• Curable violations (and breaches of a cure statement): $10,000–$12,000 per violation.
• Uncurable violations: $80,000–$200,000 per violation.
• Continuing violations: up to $40,000 per day.

The cure period and AG-only enforcement together make TRAIGA’s practical bite contingent on the Attorney General’s office choosing to dedicate enforcement resources to AI cases — the same discretionary-enforcement reality that constrains the other state AI laws we cover. A statute with no private right of action has exactly as much force as the enforcing agency decides to give it.

The NIST safe harbor

TRAIGA includes an affirmative defense that rewards documented risk management. An entity that discovers a violation through its own internal processes — testing, red-teaming, adversarial review — and is otherwise in substantial compliance with a recognized AI risk management framework, such as the NIST AI Risk Management Framework, can assert that compliance as a defense.

This is the most consequential design choice in the law for companies operating beyond Texas. It converts the NIST AI RMF — a voluntary, non-binding framework that NIST itself says is “not intended to be used as a checklist” — into something with concrete legal value: a documented basis for an affirmative defense. Colorado’s law already names the NIST AI RMF as an acceptable risk-management framework for its deployer obligations; TRAIGA goes further by tying it to litigation defense. The practical effect is to push the NIST RMF from rhetoric toward a de facto compliance baseline that states are converging on through their statutes, even absent any federal mandate.

How a multi-state deployer should read this

A company already building for Colorado’s SB 24-205 should not assume TRAIGA is duplicative. The two laws point in different directions:

• Colorado centers on consequential decisions and unintentional algorithmic discrimination, with developer/deployer duties, impact assessments, consumer notice, and an appeal right. Its discrimination concern is effect-based.
• Texas centers on intentional misuse, with prohibited-use categories, government-focused disclosure, healthcare disclosure, and an intent-based discrimination standard. Its private-sector affirmative burden is lighter.

The overlap that matters: both treat the NIST AI RMF as the reference framework. A deployer that builds a single, documented risk-management program against the NIST RMF satisfies a Colorado expectation and earns the Texas affirmative defense — which is the strongest argument for treating the NIST RMF as the spine of a multi-state compliance program rather than reinventing one per jurisdiction.

The broader signal from Texas is that the politically survivable version of state AI law, at least in a more deregulatory legislature, sheds the disparate-impact mandate and keeps intent-based prohibitions plus a framework safe harbor. Whether that is sufficient to address the harms that motivated AI regulation in the first place — most of which are unintended-effect harms an intent standard does not reach — is the open question TRAIGA leaves on the table.

Sources

• Texas HB 149, 89th Regular Session — the primary statutory source (enrolled text and bill history on Texas Legislature Online, capitol.texas.gov, bill HB 149, session 89R): signed June 22, 2025, effective January 1, 2026. Tracked at NCSL’s AI legislation database ↗.
• Texas Signs Responsible AI Governance Act Into Law — Latham & Watkins ↗ — analysis confirming AG-only enforcement, the 60-day cure period, the tiered civil penalties, and the NIST AI RMF affirmative defense.
• The Texas Responsible AI Governance Act — Norton Rose Fulbright ↗ — overview of the prohibited-use categories and the government and healthcare disclosure obligations.
• Pared Back Version of TRAIGA Signed Into Law — K&L Gates ↗ — details on how the enacted bill narrowed from earlier drafts, including the shift away from disparate-impact liability.