United States (State)In Effect Enforced: 2026-01-01Last updated: May 20, 2026

Texas AI Laws: TRAIGA (HB 149) and HB 2060 Compliance Guide

How to comply with the Texas Responsible Artificial Intelligence Governance Act (TRAIGA / HB 149), effective January 1, 2026, and HB 2060's state-agency AI requirements. Penalties, scope, deployer and developer obligations, NIST AI RMF safe harbor, and an implementation roadmap.

Non-compliance penalty: Up to $200,000 per uncurable violation, $10,000 - $12,000 per curable violation, $2,000 - $40,000 per day for continuing violations. Enforcement by Texas Attorney General only; no private right of action.

How Areebi helps you comply

Block prohibited AI practices (manipulation, discrimination, social scoring, unlawful biometric identification)Tex. Bus. & Com. Code section 552.052 (HB 149)

Areebi: Policy Engine & Use-Case Gating

Areebi's policy engine blocks AI requests by declared use case and intent, preventing employees from invoking AI in scenarios that fall within TRAIGA's prohibited categories. Approval workflows document declared business purpose for each model, creating intent evidence.

Provide consumer disclosure when a Texas state agency interacts with consumers using AIHB 149 government disclosure provisions

Areebi: Consumer AI Disclosure Surfaces

Configurable disclosure notices and watermarking applied automatically to model outputs in consumer-facing channels. Disclosure language can be tailored per agency or use case to satisfy clear-and-conspicuous standards.

Establish NIST AI RMF substantial compliance to invoke the affirmative defenseHB 149 safe harbor provision

Areebi: NIST AI RMF Control Evidence

Continuous, exportable control evidence aligned to NIST AI RMF core functions (GOVERN, MAP, MEASURE, MANAGE) and the NIST AI 600-1 Generative AI Profile. Evidence packages are pre-mapped to TRAIGA safe-harbor requirements.

Detect violations through internal risk management activities (precondition for safe harbor)HB 149 safe harbor provision

Areebi: Continuous Monitoring & Incident Workflows

Real-time monitoring identifies policy violations, model behavior anomalies, and data-exposure events. Documented internal discovery is a precondition for the TRAIGA safe-harbor affirmative defense.

Maintain automated decision system inventory (HB 2060 state-agency obligation)HB 2060 inventory requirement

Areebi: AI Inventory & Risk Classification

Comprehensive automated discovery of AI systems in use, with classification by risk level, decision impact, and consumer reach. Inventory exports satisfy the documentation format established by HB 2060.

Respond within the 60-day cure period after AG noticeHB 149 cure-period provision

Areebi: Cure-Period Response Playbook & Evidence Production

Pre-staged evidence packages, incident response workflows, and audit-grade documentation enable organizations to produce remediation evidence within the cure window without scrambling.

What Are the Texas AI Laws?

As of January 1, 2026, Texas is the third US state to enact a comprehensive AI statute. Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA / HB 149) on June 22, 2025, with the law taking effect January 1, 2026. TRAIGA is now the centerpiece of a small but consequential Texas AI legal stack that also includes HB 2060, enacted in 2023, which established the Texas Artificial Intelligence Advisory Council and an AI inventory regime for state agencies.

Compared to the Colorado AI Act - the previous state benchmark - TRAIGA is narrower in scope but more sharply punitive. Where Colorado focuses on algorithmic discrimination across consequential decisions, the enacted Texas law focuses on a smaller set of prohibited AI practices with an intent-based liability framework, expanded government disclosure duties, and civil penalties that can reach $200,000 per uncurable violation plus $40,000 per day for continuing violations.

Two features make TRAIGA especially relevant to enterprise governance teams. First, it provides an explicit NIST AI RMF safe harbor: organizations that substantially comply with the NIST AI Risk Management Framework or its Generative AI Profile can invoke that compliance as an affirmative defense. Second, the Texas Attorney General has exclusive enforcement authority and must offer a 60-day cure period before bringing an action, creating a clear remediation pathway for organizations that move quickly.

Areebi is purpose-built for this kind of risk management: policy enforcement, content guardrails, audit trails, and continuous monitoring map directly to the deployer and developer practices TRAIGA expects, and Areebi's NIST AI RMF alignment supports the statutory safe harbor.

Texas AI Legislation in Scope

The Texas AI legal landscape consists of one comprehensive statute and one state-government-focused statute, plus several adjacent laws that touch AI use in specific domains.

HB 149: Texas Responsible Artificial Intelligence Governance Act (TRAIGA)

HB 149 - the Texas Responsible Artificial Intelligence Governance Act, or TRAIGA - was authored by Representative Giovanni Capriglione, passed by the 89th Texas Legislature, signed by Governor Abbott on June 22, 2025, and took effect on January 1, 2026. The enacted statute is significantly narrower than the bill's original "comprehensive AI" draft, which would have created a Colorado-style framework for high-risk AI systems.

The final TRAIGA targets specific prohibited practices rather than a broad class of high-risk systems. Key prohibitions include:

Behavioral manipulation: Developing or deploying AI systems with the sole intent to manipulate human behavior to circumvent informed decision-making in a manner that causes or is reasonably likely to cause harm.
Discrimination against protected classes: Developing or deploying AI with the intent to unlawfully discriminate against a protected class. The intent standard is the key liability hook - unintentional disparate impact alone does not establish a TRAIGA violation, distinguishing it from Colorado's standard.
Constitutional rights violations: Developing or deploying AI systems that infringe on Texas residents' constitutional rights.
Social scoring by government: Government use of AI for social-scoring purposes is prohibited outright.
Unlawful biometric identification: Capture of biometric identifiers for the purpose of unique identification without the requisite consent or legal basis is restricted.
Generation of unlawful sexual content depicting minors: AI systems may not be used to generate child sexual abuse material.

TRAIGA also imposes government disclosure duties: any Texas state agency that interacts with consumers using an AI system must clearly disclose to those consumers that they are interacting with AI rather than a human. This builds on - and broadens - the disclosure regime introduced by HB 2060.

TRAIGA establishes the Texas Artificial Intelligence Council (a successor body to HB 2060's Advisory Council) and the Texas Regulatory Sandbox Program, which allows participating organizations to test AI systems under a tailored compliance regime overseen by the Texas Department of Information Resources.

Status: Enacted. In effect from January 1, 2026.

HB 2060: Texas Artificial Intelligence Advisory Council

HB 2060 was signed into law on June 13, 2023, by the 88th Texas Legislature. The Act created the seven-member Texas Artificial Intelligence Advisory Council and imposed an automated decision system inventory requirement on Texas state agencies.

Key HB 2060 requirements:

State-agency AI inventory: Each Texas state agency was required to file an inventory of automated decision systems being developed, employed, or procured by the agency, with an initial deadline of July 1, 2024.
Advisory Council oversight: The Council was tasked with assessing whether Texas needs a code of ethics for AI systems, reviewing agency inventories, and recommending policies to protect Texas residents from harms arising from state-government AI use.
Report to the Legislature: The Council was required to deliver a summary report and policy recommendations to the Texas Legislature by December 1, 2024.

Under TRAIGA, the Advisory Council's functions are largely subsumed by the new Texas Artificial Intelligence Council, but the inventory regime that HB 2060 established remains the operational template for ongoing state-agency AI tracking. State agencies and vendors who supply AI to state agencies should continue to assume the inventory expectation is in force.

Status: Enacted June 13, 2023; in force.

Adjacent Texas Statutes Touching AI

Two adjacent Texas statutes shape the AI compliance picture even though they predate the AI-specific framework:

Texas Data Privacy and Security Act (TDPSA): The state's omnibus privacy law - effective July 1, 2024 - imposes data minimization, purpose limitation, and consumer rights obligations that apply to data processed by AI systems. The Texas AG enforces TDPSA, and the agency has signaled that AI-driven processing falls squarely within its scope.
Texas Capture or Use of Biometric Identifier Act (CUBI): CUBI imposes consent and disclosure requirements on the capture of biometric identifiers, which is increasingly relevant to AI-based facial recognition, voice analysis, and behavioral biometrics deployments.

Texas's general consumer-protection statute, the Deceptive Trade Practices Act (DTPA), also remains available to enforce against false or misleading AI-related claims. The Texas AG has reiterated through public statements during 2025 that AI use cases producing deceptive consumer-facing outputs may be actionable under DTPA in addition to TRAIGA.

What TRAIGA Requires of Developers and Deployers

TRAIGA does not impose a uniform compliance checklist across all AI systems the way Colorado's law does. Instead, it imposes prohibitions and disclosure duties that operate as standing obligations, paired with safe-harbor mechanisms that reward proactive risk management.

Practical requirements break into four categories:

1. Avoid prohibited AI practices

The clearest TRAIGA requirement is the negative one: do not develop or deploy AI systems with intent to manipulate, discriminate, infringe constitutional rights, score citizens, perform unlawful biometric identification, or generate child sexual abuse material. "Intent" is the operative standard - covered under section 552.052 of the Texas Business and Commerce Code as enacted by HB 149 - but reckless deployment without reasonable risk assessment can supply the inferential basis for an intent finding.

2. Government-facing AI disclosure

Any Texas state agency, or any vendor providing consumer-facing AI services on behalf of a Texas state agency, must disclose to consumers when they are interacting with an AI system. This is a clear-and-conspicuous standard; buried disclosures or post-hoc notice will not satisfy the duty. Vendors selling AI assistants to Texas state agencies should build disclosure surfaces into their products.

3. Documentation supporting the NIST AI RMF safe harbor

To invoke the affirmative defense under TRAIGA's safe harbor provision, an organization must be able to demonstrate substantial compliance with the NIST AI Risk Management Framework - including, where relevant, the NIST AI 600-1 Generative AI Profile. This requires documented evidence of GOVERN, MAP, MEASURE, and MANAGE activities, not just a stated policy.

4. Cure-period readiness

TRAIGA gives organizations 60 days to cure an alleged violation after the AG issues notice. Organizations that can demonstrate prompt remediation, internal-testing-based discovery, or active risk management programs typically resolve matters during the cure period without civil penalties being assessed.

Areebi maps these requirements directly:

TRAIGA requirement	Areebi capability
Avoiding intent-based prohibitions	Policy engine blocking by purpose and use case, with audit-grade documentation of declared intent
Consumer AI disclosure	Configurable consumer notices and watermarking applied to model outputs
NIST AI RMF safe-harbor evidence	Continuous control evidence aligned to NIST AI RMF core functions, exportable for AG inquiries
Cure-period remediation	Real-time policy enforcement and incident workflow that compresses time-to-remediate

Penalties and Enforcement

TRAIGA's enforcement model is unusual in its combination of exclusive AG enforcement, a mandatory cure period, and scaled civil penalties that escalate sharply for continuing or uncurable violations. There is no private right of action under TRAIGA.

Penalty tiers

Violation type	Penalty range
Curable violation	$10,000 - $12,000 in civil penalties per violation
Uncurable violation	$80,000 - $200,000 per violation
Continuing violation	$2,000 - $40,000 per day, per violation, for each day the violation continues
Equitable relief	Injunctive relief, attorney's fees, and reasonable court costs available alongside civil penalties

Enforcement procedure

The Texas Attorney General serves written notice of an alleged TRAIGA violation.
A 60-day cure period begins on the date of notice. The recipient may submit a written statement to the AG describing the cure and the absence of further violations.
If the AG accepts the cure, the matter closes without penalties. If the AG rejects the cure or determines the violation is uncurable, an action may be filed in district court.
Successful AG enforcement actions can recover civil penalties, attorney's fees, court costs, and equitable relief.

Safe harbor: NIST AI RMF substantial compliance

TRAIGA creates an explicit affirmative defense for entities that substantially comply with the NIST AI Risk Management Framework or comparable nationally or internationally recognized AI risk management frameworks - including the ISO/IEC 42001 AI management system standard. The defense applies when the entity discovers the violation through its own risk-management activities (internal testing, monitoring, audits) and promptly takes corrective action.

This is the most actionable provision in the law: organizations that have already invested in NIST AI RMF-aligned governance can convert that investment into a direct legal shield in Texas. Areebi's compliance evidence packages are built around the NIST AI RMF core functions specifically to support this kind of defense.

Who Is Covered by TRAIGA and HB 2060

TRAIGA's scope is broader than its prohibitions might suggest, because the law applies to any person or entity that develops or deploys an AI system that affects Texas residents - regardless of where the developer or deployer is located.

TRAIGA covered entities

Texas state agencies and political subdivisions: Subject to the full prohibitions plus the AI-disclosure duty.
Developers and deployers of AI systems used in Texas: Any organization developing or deploying AI systems whose operation reaches Texas residents - even if the organization itself is headquartered outside Texas. The law follows a Texas-effects standard similar to the TDPSA.
Vendors selling AI to Texas state agencies: Subject to the disclosure duty when their products are consumer-facing.
Employers using AI for hiring or workforce decisions: Covered to the extent their AI use intersects with the intent-based discrimination prohibition.

HB 2060 covered entities

HB 2060's automated decision system inventory requirement applies specifically to Texas state agencies, but vendors supplying AI to state agencies should expect to be asked for the underlying documentation the inventory depends on - model descriptions, training data summaries, intended-use statements, and risk assessments.

Practical scope notes

Private employers in Texas: No general employer-specific obligation, but TRAIGA's intent-based discrimination prohibition reaches employers that use AI in hiring or workforce decisions with discriminatory intent.
Small business carve-out: Unlike Colorado, TRAIGA does not include a categorical small-business exemption. Organizations of all sizes should plan to comply.
Federal preemption: No clear federal preemption applies. Federal sector-specific rules (e.g., HIPAA for healthcare AI, ECOA for credit-scoring AI) continue to operate alongside TRAIGA.

Implementation Roadmap for TRAIGA Compliance

Organizations that have not yet begun TRAIGA implementation should treat the law as effective today and work backward from the enforcement risk. A practical eight-week roadmap:

Weeks 1-2: Inventory and intent-mapping

Inventory all AI systems that touch Texas residents - including shadow AI tools adopted without IT approval.
For each system, document the declared intent: the business purpose, intended outcomes, and excluded uses.
Flag any system whose declared intent could plausibly be characterized as manipulation, discrimination, social scoring, or unlawful biometric identification.

Weeks 3-4: Map to NIST AI RMF

Conduct a NIST AI RMF gap assessment for each in-scope AI system.
Document GOVERN, MAP, MEASURE, and MANAGE activities. The safe harbor requires substantial compliance, not perfect compliance - but it does require evidence.
For generative AI systems, map controls to the NIST AI 600-1 Generative AI Profile's 12 risk areas.

Weeks 5-6: Technical controls and disclosure surfaces

Deploy policy enforcement that blocks prohibited use cases by design.
Implement consumer-facing AI disclosure for any Texas-state-agency consumer touchpoint.
Activate DLP and content guardrails that prevent inadvertent generation of biometric, manipulative, or discriminatory outputs.

Weeks 7-8: Cure-period readiness and AG-response playbook

Establish a written response playbook for AG notices: who receives the notice, who triages, who drafts the cure documentation, and who signs off.
Pre-stage NIST AI RMF evidence packages so they can be produced within the 60-day cure window without scrambling.
Conduct a tabletop exercise simulating an AG notice for a sample AI system.

Ongoing: Sandbox option and continuous evidence

Consider whether the Texas Regulatory Sandbox Program is appropriate for novel AI deployments that would benefit from a tailored compliance regime.
Maintain continuous evidence collection through Areebi's compliance dashboards - not periodic snapshots. The AG can request evidence at any time, and continuous evidence is materially easier to defend.

Organizations seeking to accelerate their TRAIGA implementation can request a demo to see how Areebi automates the underlying NIST AI RMF controls that anchor the safe harbor.

Relationship to Other US State and Federal AI Frameworks

TRAIGA exists in a layered US regulatory environment. Organizations subject to TRAIGA will typically also be subject to one or more of:

Colorado AI Act (SB 24-205): Colorado's law covers a broader set of "high-risk AI systems" with a stronger disparate-impact frame. Organizations operating in both states should design controls to the higher standard - typically Colorado - and rely on TRAIGA's NIST safe harbor as a defense layer.
California AI Transparency Act and related California measures: California has been first or among the first to adopt watermarking, disclosure, and AI-training-data transparency rules. Texas's consumer disclosure duty for state-agency AI overlaps mechanically with California's transparency framework.
Illinois AI Video Interview Act and NYC Local Law 144: Sector-specific (employment) state and local AI laws that may apply alongside TRAIGA where employers use AI in hiring decisions.
NIST AI Risk Management Framework: Federal voluntary framework that TRAIGA elevates to a quasi-mandatory standard via its safe harbor. Investment in NIST AI RMF compliance is now also Texas-compliance investment.
SEC AI disclosure requirements and FTC AI enforcement: Federal-agency enforcement against AI-related claims and disclosure failures continues independently of state AI laws.

Smart organizations build a single, framework-agnostic AI governance program that satisfies the most demanding requirements and produces evidence packages that can be repurposed for state, federal, and international audits. Areebi's Compliance Hub provides cross-mapped templates for the major frameworks.

What Is Still Uncertain

Some elements of the Texas AI legal landscape remain fluid, and good governance practice is to track these closely:

Sandbox program implementation: The Texas Regulatory Sandbox Program established by TRAIGA is still being operationalized by the Texas Department of Information Resources. Detailed application processes, eligibility criteria, and sandbox-specific compliance regimes will continue to develop through 2026.
AG interpretive guidance: The Texas Attorney General has not yet issued comprehensive interpretive guidance on key TRAIGA terms - including the boundaries of "manipulation" and "intent." Early enforcement actions will shape practical interpretations.
Texas AI Council formation: The new Texas Artificial Intelligence Council established by TRAIGA is still being constituted. Its early output will likely influence both legislative refinements and AG enforcement priorities.
Future legislative session: The 90th Texas Legislature convenes in January 2027. AI legislation is widely expected to be on the docket, including potential refinements to TRAIGA based on early enforcement experience.
Federal preemption questions: Federal AI legislation remains uncertain. Should a federal AI statute pass with preemption provisions, parts of TRAIGA could be displaced. Monitor LegiScan and the Texas Legislature Online for updates.

For organizations that prefer not to track legislative developments themselves, Areebi maintains a compliance hub with status tracking and last-updated dates for every framework we support.

Compliance Checklist

Inventory all AI systems that touch Texas residents, including shadow AI tools adopted without IT approval

Document declared intent (business purpose, intended outcomes, excluded uses) for each AI system

Flag any AI system whose use could plausibly be characterized as manipulation, discrimination, social scoring, or unlawful biometric identification

Conduct a NIST AI RMF gap assessment for each in-scope AI system

Map generative AI systems to the NIST AI 600-1 Generative AI Profile's 12 risk areas

Deploy policy enforcement that blocks prohibited use cases by design

Implement consumer AI disclosure for any Texas state agency consumer touchpoint

Establish continuous monitoring to support internal violation discovery (a safe-harbor precondition)

Document a written AG cure-period response playbook with named roles and signoffs

Pre-stage NIST AI RMF evidence packages exportable within the 60-day cure window

Track Texas Regulatory Sandbox Program developments and assess sandbox eligibility for novel AI deployments

Integrate Texas AI compliance evidence with existing Colorado, California, and federal AI compliance programs

Frequently Asked Questions

What is the Texas Responsible Artificial Intelligence Governance Act (TRAIGA / HB 149)?

TRAIGA is the Texas AI law enacted as HB 149, signed by Governor Greg Abbott on June 22, 2025, and effective January 1, 2026. It prohibits specific AI practices (manipulation, discrimination by intent, social scoring, unlawful biometric identification, generation of child sexual abuse material), imposes consumer disclosure duties on state-agency AI use, and provides civil penalties of up to $200,000 per uncurable violation enforced exclusively by the Texas Attorney General.

When did TRAIGA take effect?

TRAIGA took effect on January 1, 2026. Governor Abbott signed the bill on June 22, 2025, giving organizations approximately six months to prepare. Enforcement is active as of the effective date, although the Texas Attorney General must provide a 60-day cure period before bringing an enforcement action.

Does TRAIGA apply to organizations outside Texas?

Yes. TRAIGA applies to any developer or deployer of an AI system that affects Texas residents, regardless of where the developer or deployer is headquartered. This Texas-effects standard parallels the scope used in the Texas Data Privacy and Security Act. Out-of-state organizations should treat TRAIGA the same way they treat the Colorado AI Act and CCPA - compliance is required if Texas residents are affected.

How does TRAIGA's NIST AI RMF safe harbor work?

TRAIGA provides an affirmative defense to entities that substantially comply with the NIST AI Risk Management Framework or a comparable framework (the NIST AI 600-1 Generative AI Profile and ISO/IEC 42001 also qualify). To invoke the defense, the entity must have discovered the alleged violation through its own risk-management activities (internal testing, monitoring, audits) and promptly taken corrective action. This is the most actionable single provision in the statute.

What are TRAIGA's penalties?

Curable violations carry civil penalties of $10,000 to $12,000. Uncurable violations carry civil penalties of $80,000 to $200,000. Continuing violations can incur $2,000 to $40,000 per day, per violation, for each day the violation continues. The Texas Attorney General can also seek injunctive relief, attorney's fees, and reasonable court costs. There is no private right of action under TRAIGA.

How does TRAIGA differ from the Colorado AI Act?

Colorado's law focuses broadly on algorithmic discrimination in high-risk AI systems affecting consequential decisions, with both intent-based and impact-based liability. TRAIGA is narrower and uses an intent-based standard - unintentional disparate impact alone does not establish a violation. Colorado imposes uniform deployer and developer duties (impact assessments, public statements, consumer notice). TRAIGA does not, but it imposes sharper civil penalties for the practices it does prohibit and creates an explicit NIST AI RMF safe harbor that Colorado lacks.

What is the Texas Regulatory Sandbox Program?

The Texas Regulatory Sandbox Program is established by TRAIGA and overseen by the Texas Department of Information Resources. It allows organizations to test novel AI systems under a tailored compliance regime that may relax specific TRAIGA requirements in exchange for enhanced reporting and oversight. Sandbox program details are still being operationalized by DIR; eligibility criteria and application processes will continue to develop through 2026.

How does Areebi help with TRAIGA compliance?

Areebi maps directly to the practical operating model TRAIGA expects: the policy engine blocks prohibited use cases by design, configurable disclosure surfaces satisfy the consumer-disclosure duty for state-agency AI, and continuous NIST AI RMF control evidence supports the statutory safe harbor. Pre-staged compliance evidence packages compress cure-period response time well below the 60-day window. Areebi also provides AI inventory and risk classification aligned to the HB 2060 automated decision system inventory format.

Related Resources

Ready to achieve Texas AI Laws: TRAIGA (HB 149) and HB 2060 Compliance Guide compliance?

See how Areebi maps to Texas AI Laws: TRAIGA (HB 149) and HB 2060 Compliance Guide requirements with a personalized demo.

Get a Demo Free AI Risk Assessment

Taking longer than expected.

Reload the page