Navigating TRAIGA: Texas’s New AI Compliance Framework

Introduction

On June 22, 2025, Texas enacted the Texas Responsible Artificial Intelligence Governance Act (“TRAIGA”), putting it at the forefront of state-level AI regulation in the United States. TRAIGA becomes effective January 1, 2026. It establishes a comprehensive regulatory framework for AI development, deployment, and oversight in Texas. The law applies broadly to any individual or entity conducting business in Texas, offering products or services to Texas residents, or developing or deploying AI systems within the state. This includes Texas-based, out-of-state, and international organizations whose AI systems are accessible to Texas users. However, the future of TRAIGA is clouded by the possibility of federal preemption on state AI regulations, which could limit or nullify its effect. This alert summarizes the key provisions of TRAIGA, analyzes the potential impact of federal action on the Texas regime, and highlights important compliance considerations.

Prohibited AI Practices

TRAIGA prohibits several high-risk AI practices:

• Behavioral Manipulation: AI systems may not be used to intentionally incite or encourage self-harm, violence, or criminal activity.
• Unlawful Discrimination: AI systems may not be used to unlawfully discriminate against protected classes (e.g., race, color, national origin, sex, age, religion, disability) in violation of state or federal law.
• Social Scoring: Governmental entities are barred from using AI to assign social scores or similar valuations that could result in detrimental or disproportionate treatment or infringe on constitutional rights.
• Biometric Identification: Government agencies may not use AI to uniquely identify individuals using biometric data (e.g., fingerprints, voiceprints, iris scans) without informed consent, except for security, fraud prevention, or law enforcement.
• Constitutional Rights: No AI system may be developed or deployed with the sole intent to infringe upon rights guaranteed by the U.S. Constitution.
• Unlawful Content and Deepfakes: The law prohibits the development or distribution of AI systems intended to produce or disseminate child pornography, unlawful sexually explicit deepfake content, or explicit text-based conversations impersonating minors.

Regulatory Sandbox and Other Safe Harbor Provisions

TRAIGA provides several safe harbors and affirmative defenses:

• Substantial compliance with the NIST AI Risk Management Framework or similar recognized frameworks serves as an affirmative defense against enforcement actions.
• Certain sectors and activities are exempt from specific requirements, including financial institutions compliant with all federal and state banking laws, insurance entities subject to anti-discrimination statutes, and uses of biometric data for security, fraud prevention, or healthcare under HIPAA.
• TRAIGA establishes a 36-month regulatory sandbox program to encourage innovation. Approved participants may test new AI systems in a controlled environment with temporary relief from certain state licensing and regulatory requirements. However, prohibitions on manipulation, discrimination, and unlawful content remain in force. Sandbox participants must submit quarterly reports on system performance, risk mitigation, and stakeholder feedback.

Enforcement and Penalties

Enforcement authority is vested exclusively in the Texas attorney general. Violators have a 60-day notice and cure period. Civil penalties range from $10,000 to $12,000 per curable violation, $80,000 to $200,000 per uncurable violation, and $2,000 to $40,000 per day for continuing violations. For licensed professionals, state agencies may suspend or revoke licenses and impose additional fines up to $100,000 upon the attorney general’s recommendation. There is no private right of action.

Disclosure and Transparency Requirements

Transparency is central to TRAIGA, especially for governmental use of AI. State agencies must provide clear and conspicuous notice to individuals when interacting with an AI system, regardless of whether the interaction is obvious. In healthcare, providers must disclose AI use to patients or their representatives before or at the time of service, except in emergencies, where disclosure must occur as soon as reasonably possible. TRAIGA does not impose similar notification requirements on private companies, distinguishing Texas from states like Colorado and California that have broader transparency mandates.

Oversight, Governance, and Reporting

TRAIGA creates the Texas AI Council, a seven-member body tasked with studying AI issues, making policy recommendations, and overseeing the sandbox program. The Council may issue non-binding reports and guidance but lacks rulemaking authority. The Texas Department of Information Resources must provide annual reports to the legislature on the sandbox program’s performance and recommend future legislative reforms.

Federal Preemption: A Critical Uncertainty

TRAIGA’s future is uncertain due to potential federal preemption. A proposed federal measure currently being considered by Congress could impose a ten-year moratorium on state and local AI regulations, unless designed to accelerate AI deployment. If enacted, this could override TRAIGA, suspending its requirements and enforcement mechanisms. In such a scenario, companies would need to comply with federal standards. If federal preemption does not occur, TRAIGA could serve as a model for other states.

Practical Implications and Recommendations

• Inventory AI Systems: Identify all AI systems that touch Texas residents or are deployed in Texas to ensure compliance with TRAIGA’s prohibitions by January 2026.
• Review and Update Policies: Revise internal policies, contracts, and data governance practices to address discrimination, biometric data, and transparency requirements.
• Implement Disclosure Mechanisms: For public-facing tools used by or on behalf of government agencies, prepare clear and conspicuous AI interaction notices.
• Adopt Risk Management Frameworks: Align AI development and deployment with recognized standards such as the NIST AI Risk Management Framework to leverage safe harbor protections.
• Monitor Regulatory Developments: Stay informed about forthcoming guidance from the Texas attorney general and the Texas Artificial Intelligence Council, as well as federal legislative developments that may impact state-level compliance obligations.
• Consider the sandbox: Evaluate whether participation in the regulatory sandbox offers strategic advantages for innovative AI products.

Conclusion

TRAIGA represents a significant advancement in state-level AI regulation, balancing innovation with strong protections against harmful AI practices. Its long-term impact, however, will depend on the evolving federal landscape. Entities operating in or serving Texas should proactively ensure compliance with TRAIGA while monitoring federal developments that may affect the regulatory environment.

William Manbeck, a summer associate in the Ropes & Gray Washington DC office, contributed to this article.