What is AI regulation in Texas?
AI regulation: countries and regions
Texas regulates AI through the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA, which took effect on 1 January 2026. It is an enacted state law, not a proposal. TRAIGA uses a broad definition of AI and reaches many businesses that operate in Texas or serve Texans, but its main private-sector rules are targeted bans and specific disclosure duties rather than one broad "high-risk AI" compliance regime. Enforcement sits mainly with the Texas Attorney General.
What this means
Texas now has a statewide AI law in force. TRAIGA is the centrepiece for private and mixed public-private AI regulation in Texas, and it matters because it applies to more than chatbots or image tools. The law defines "artificial intelligence system" broadly enough to catch systems that generate content, recommendations, predictions or decisions.
That said, Texas has not copied the most prescriptive state models. For private organisations, TRAIGA does not create a single, all-purpose duty to run impact assessments or maintain a full risk management programme for every "high-risk" system. Instead, it focuses on specific prohibited uses, a limited set of disclosure duties, Attorney General enforcement and a state sandbox for testing.
Texas also has a separate public-sector layer. Senate Bill 1964 and DIR rules govern how state agencies and local governments procure, deploy and oversee certain AI systems, especially public-facing systems and systems that materially influence consequential decisions.
Why it matters
For organisations that build, buy, sell or govern AI, Texas is now a real compliance jurisdiction, not just a policy discussion. If you do business in Texas, offer products or services used by Texans, work with Texas agencies, or deploy AI in healthcare or other sensitive settings, you need to know which uses are prohibited, when disclosure is required, who enforces the rules and what evidence may help if a regulator asks questions.
It also matters because Texas combines several levers. TRAIGA creates broad reach, local preemption, civil penalties and a cure process. The public-sector regime adds code of ethics requirements, standard notices, impact assessment duties for certain government systems and procurement consequences for vendors. In practice, Texas is part of the wider US state patchwork, so multistate teams cannot assume that one national policy will map cleanly onto Texas.
How it works
The current Texas position
Texas enacted TRAIGA through House Bill 149 in 2025. The Governor signed it on 22 June 2025, and the law took effect on 1 January 2026. So, as of 5 June 2026, the core private-sector Texas AI law is already in force.
TRAIGA does two things at once. First, it adds Texas-specific AI rules to the Business and Commerce Code. Second, it builds an institutional framework around those rules, including a regulatory sandbox and a Texas Artificial Intelligence Council. The law also expressly preempts local ordinances and similar local measures about the use of AI systems, which means cities and counties cannot create their own competing Texas AI rulebooks in this area.
Scope and definitions
TRAIGA defines an AI system broadly. It is not limited to generative AI, large language models or chatbots. If a machine-based system infers from inputs how to generate content, recommendations, predictions or decisions that can influence physical or virtual environments, it can fall within the statute.
The law's reach is also broad. It applies to a person that promotes, advertises or conducts business in Texas, produces a product or service used by Texas residents, or develops or deploys an AI system in Texas. TRAIGA then distinguishes between "developers" and "deployers", which matters when the Attorney General seeks information during an investigation.
This is important because Texas uses a broad front door and a narrower set of operative duties. In other words, many organisations may be within scope, but not every scoped organisation will face the same concrete obligations.
Main duties and prohibitions
TRAIGA does not organise private-sector compliance around one master category such as "high-risk AI system". Instead, it creates targeted rules.
A governmental agency that makes an AI system available to interact with consumers must disclose that consumers are interacting with AI before or at the time of interaction. The disclosure must be clear, conspicuous and in plain language, and it cannot rely on dark patterns. A hyperlink can be used for the notice. Separately, if AI is used in relation to healthcare service or treatment, the provider must give that disclosure no later than the date the service or treatment is first provided, except where an emergency makes later disclosure necessary.
The law then bans a set of uses. A person may not develop or deploy AI in a way that intentionally aims to incite or encourage self-harm, harm to another person or criminal activity. A governmental entity may not use AI for prohibited social scoring. A governmental entity also may not use AI to uniquely identify a specific person through biometric data or broad image gathering from public sources without consent if that use would infringe constitutional or legal rights. A person may not develop or deploy AI with the sole intent of infringing rights guaranteed under the US Constitution. A person also may not develop or deploy AI with the intent to unlawfully discriminate against a protected class in violation of state or federal law. TRAIGA adds that disparate impact, by itself, is not enough to prove that intent.
The statute also addresses deeply harmful synthetic content. It prohibits developing or distributing AI with the sole intent of producing certain illegal sexually explicit content, unlawful deepfake imagery under Texas criminal law, or child sexual abuse material related conduct. It also prohibits certain text-based sexual conversations that impersonate a child younger than 18.
There are boundaries and carve-outs. For example, the discrimination section has special treatment for insurance entities and federally insured financial institutions. The chapter's definition of "governmental entity" also excludes hospital districts and institutions of higher education, which means readers should not assume every Texas public body is treated identically inside Chapter 552.
Enforcement, penalties and defensive evidence
TRAIGA gives the Texas Attorney General exclusive authority to enforce the chapter, except for a limited route allowing state licensing agencies to impose sanctions after a court finding and an Attorney General recommendation. The chapter does not create a private right of action.
The Attorney General can investigate through civil investigative demands. The statute allows the Attorney General to request high-level information about the system's purpose, intended use, training data, input categories, outputs, performance metrics, known limitations and post-deployment monitoring and safeguards. That is a practical signal: Texas expects organisations to be able to explain their system at a governance level, even if the statute is not a full documentation regime for every business.
Before bringing an action, the Attorney General must generally give written notice and a 60 day cure period. If the issue is cured and backed by a written statement and supporting documentation, that can stop the case from proceeding. If not cured, the potential civil penalties are material: around 10,000 to 12,000 US dollars for curable violations or breach of a cure statement, around 80,000 to 200,000 US dollars for uncurable violations, and around 2,000 to 40,000 US dollars per day for continuing violations. The Attorney General may also seek an injunction, attorney's fees, court costs and investigative expenses.
The law also points to the kind of evidence that may help a defendant. The text expressly references feedback channels, adversarial or red-team testing, applicable agency guidance and substantial compliance with the latest NIST "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile" or another nationally or internationally recognised AI risk management framework as part of an internal review process. That is not blanket immunity, but it clearly encourages documented testing and framework-based governance. The Attorney General also may not seek a civil penalty for an AI system that has not been deployed.
Sandbox and Texas institutions
TRAIGA is not only about restrictions. It also creates a regulatory sandbox programme at DIR. The programme is meant to let participants test and deploy innovative AI systems for a limited period, generally up to 36 months, without needing every normal licence, registration or comparable regulatory authorisation that would otherwise apply.
To enter, an applicant must obtain approval from DIR and any applicable agency. The application must describe the system and intended use, assess likely benefits, address consumer, privacy and public safety impacts, explain how adverse consequences will be mitigated and show compliance with any applicable federal AI laws and regulations. Participants must provide periodic reporting, and DIR must report annually to the legislature.
The sandbox is not a free pass. The core duties and prohibitions in TRAIGA's Subchapter B cannot be waived. So a participant cannot rely on the sandbox to excuse prohibited conduct such as manipulative use, intentional unlawful discrimination or unlawful synthetic sexual content.
TRAIGA also creates the Texas Artificial Intelligence Council. Its role is mainly advisory and educational. It can issue reports, provide training and outreach, and make recommendations to the legislature and agencies. It is not the binding regulator for private-sector AI.
The public-sector overlay around TRAIGA
Anyone dealing with Texas government also needs to look beyond TRAIGA itself. In 2025, Texas also enacted Senate Bill 1964, which took effect on 1 September 2025 and governs public-sector AI use in Government Code Chapter 2054. That regime requires DIR to establish an AI code of ethics and minimum standards for "heightened scrutiny" AI systems used by state agencies and local governments. It also requires certain public-facing notices, impact assessments for heightened scrutiny systems and complaint handling and reporting mechanisms.
By spring 2026, DIR had already implemented major pieces of that public-sector framework. Chapter 219 of the Texas Administrative Code was adopted, DIR had published AI templates and resources, including a standardised notice, and DIR's 2026 Information Resources Deployment Review required state agencies to inventory AI systems and heightened scrutiny AI systems. In practical terms, this means Texas government buyers and their vendors now face a more structured governance layer than many purely private actors do under TRAIGA alone.
This public-sector overlay helps explain Texas's place in the wider state patchwork. Texas has an enacted statewide AI statute, but its private-sector model is more conduct-based and enforcement-led than a broad algorithmic accountability regime. Organisations operating across states still need a state-by-state map rather than one generic US playbook.
Examples
A Texas healthcare provider using AI in relation to treatment has a specific disclosure job. Under TRAIGA, the provider must tell the patient, or the patient's personal representative, that AI is being used no later than the date the service or treatment is first provided, unless an emergency justifies later notice. That makes healthcare intake, consent language and service workflows a live compliance issue.
Texas government practice is already becoming more operational. DIR has published AI templates and resources, including a standardised notice and an example AI notice for a website chatbot. So if a Texas agency deploys a public-facing chatbot, the expectation is no longer abstract policy language. There is now a concrete notice template and a governance framework behind it.
The enforcement climate also matters outside TRAIGA's text itself. In September 2024, before TRAIGA took effect, the Texas Attorney General announced a settlement with Pieces Technologies over alleged false and misleading claims about a generative AI healthcare product used in Texas hospitals. The lesson is practical: even where TRAIGA is not the only legal hook, Texas is willing to scrutinise AI claims, patient-facing deployment and safety representations.
A business that wants to test an innovative AI system through the Texas sandbox has to follow a structured entry path. It would need DIR and agency approval, a description of intended use, a benefit assessment, a plan for mitigating adverse consequences and proof of compliance with applicable federal AI law. The sandbox can ease market testing, but it does not waive TRAIGA's core prohibitions.
Common misunderstandings
Misunderstanding: Texas has a single, broad private-sector "high-risk AI" law like the most expansive state proposals. Correction: Not in that form. TRAIGA uses a broad scope, but its private-sector duties are mainly targeted prohibitions, limited disclosures, enforcement rules and institutional mechanisms.
Misunderstanding: TRAIGA only applies to generative AI tools or chatbots. Correction: The statutory definition is broader and can cover systems that generate recommendations, predictions or decisions, not just conversational tools.
Misunderstanding: Consumers can sue directly under TRAIGA if they think an AI tool harmed them. Correction: TRAIGA gives enforcement authority mainly to the Texas Attorney General and does not create a private right of action.
Misunderstanding: Following a framework such as NIST automatically makes a company immune. Correction: Framework-based review and testing can strengthen a defence position, but they do not erase the statute's prohibitions or guarantee no enforcement.
Misunderstanding: Texas cities can add their own AI ordinances on top of state law. Correction: TRAIGA expressly preempts local ordinances and similar local regulation about the use of AI systems.
Risks and boundaries
TRAIGA is important, but it is not the whole story. Texas privacy law, biometric law, healthcare law, consumer protection law, civil rights law and criminal law can still matter alongside it. That is especially true in healthcare, children's safety, deceptive trade practices and biometric data handling.
The statute is also narrower than its headline suggests. Much of the private chapter turns on intent, "sole intent" or unlawful conduct already recognised elsewhere in law. That can make some provisions easier to understand at a high level and harder to apply at the edges. For example, the discrimination rule does not create a general private-sector fairness audit duty. It focuses on intentional unlawful discrimination, and the text says disparate impact alone does not prove that intent.
Implementation is still maturing. As of 5 June 2026, TRAIGA is in force, but Texas is still building out parts of the operating environment around AI. The statute set a deadline of 1 September 2026 for the Attorney General to post TRAIGA's online complaint mechanism. On the government side, DIR has already adopted Chapter 219 rules and published templates, but practice will continue to develop through procurement, agency review, public complaints and the first enforcement matters.
There are also boundary issues inside Texas government. TRAIGA's Chapter 552 does not treat every public body the same way, and separate Government Code rules now sit alongside it. So public-sector readers should not rely on TRAIGA alone if they are dealing with state agencies, local governments, public hospitals, university systems or vendors serving those bodies.
What to do next
First, classify your role. Are you a developer, deployer, healthcare provider, Texas government buyer, or vendor to a Texas public body? The answer changes what part of the Texas framework matters most.
Second, review your live uses of AI against Texas's targeted prohibitions. Pay particular attention to patient-facing healthcare uses, public-facing interactions, biometric identification, synthetic sexual content risks, unlawful discrimination risks and any system that could look like social scoring in a government context.
Third, make your documentation stronger even where the statute does not command a full private-sector impact assessment. You should be able to explain the system's purpose, training inputs at a high level, likely limits, performance checks, safeguards, monitoring and escalation path. Texas's investigative powers assume that level of basic governance evidence exists.
Fourth, use testing and review as evidence, not just as engineering hygiene. Red-team work, internal issue logging, human oversight and framework-based review matter in Texas because the statute itself points to them when liability is assessed.
Fifth, if you work with Texas government, go beyond TRAIGA. Review Government Code Chapter 2054, DIR's Chapter 219 rules, DIR's AI templates and the public-sector notice and assessment requirements. Procurement teams and vendors should be ready for cure notices, contract consequences and public-sector governance checks.
Finally, monitor official updates. In a fast-dating area, the next practical changes are likely to come through Attorney General implementation, first public enforcement activity, DIR operational materials and future legislative amendments rather than through a single dramatic rewrite.
FAQs
Is TRAIGA already in force?
Yes. TRAIGA was signed in June 2025 and took effect on 1 January 2026.
Does TRAIGA apply only to companies based in Texas?
No. It can also apply if you advertise or do business in Texas, produce a product or service used by Texas residents, or develop or deploy an AI system in Texas.
Does Texas require every private company using AI to run a formal impact assessment?
No, not across the board under TRAIGA. The private law is mainly built around specific bans, certain disclosure duties and Attorney General enforcement. Formal assessment duties are more explicit in the separate public-sector regime.
When does Texas require disclosure that AI is being used?
TRAIGA requires disclosure when a governmental agency makes an AI system available to interact with consumers, and it requires healthcare providers to disclose AI use in relation to service or treatment by the first service date, subject to an emergency exception. Separate public-sector rules also require notices for certain state and local government uses.
Can a person sue directly under TRAIGA?
No. The statute says enforcement authority is mainly with the Texas Attorney General and that the chapter does not create a private right of action.
What are the penalties for violating TRAIGA?
After notice and a chance to cure, curable violations can trigger civil penalties in the 10,000 to 12,000 US dollar range, uncurable violations can trigger penalties in the 80,000 to 200,000 US dollar range, and continuing violations can trigger daily penalties. The Attorney General can also seek injunctions and costs.
Does TRAIGA say anything about AI governance frameworks?
Yes. The enforcement section points to internal review, testing, agency guidance and substantial compliance with the latest NIST Generative AI Profile or another recognised AI risk framework as relevant defensive evidence.
Is Texas now a comprehensive AI regulation state like every other aggressive US proposal?
Texas is an important AI regulation state, but its model is distinct. It uses a broad definition and strong enforcement, yet the enacted private framework is more targeted and conduct-based than a fully general private-sector "high-risk AI" regime.