Is the Texas Responsible AI Governance Act (TRAIGA) in effect?

Yes. TRAIGA (HB 149) was signed into law by Governor Abbott on June 22, 2025 and took effect on January 1, 2026. It is currently enforceable, exclusively by the Texas Attorney General.

Does TRAIGA require impact assessments, risk management programs, and annual AG reports for employers?

No. An earlier draft (HB 1709, and the December 2024 version) was modeled on the Colorado AI Act and would have required deployers of 'high-risk' AI to conduct impact assessments, maintain risk management programs, give consumer notices, and file annual reports. The Texas legislature stripped that entire framework out in early 2025 before passage. The enacted HB 149 contains none of those obligations. It is an intent-based prohibition statute, not a high-risk compliance regime.

What happened to Texas HB 1709?

HB 1709 was the original, Colorado-style version of the Texas AI governance bill introduced in the 89th Legislature. It was substantially rewritten and replaced by HB 149 in early 2025. The Colorado-modeled 'high-risk AI / consequential decision / impact assessment' framework was removed during that rewrite. HB 149 — the much narrower bill that survived — is what became the enacted TRAIGA.

Is TRAIGA the same as the Colorado AI Act?

No, not anymore. TRAIGA started as a Colorado-style bill but dropped that model before enactment. The enacted Texas law is intent-based: it bans specific harmful AI uses rather than regulating 'high-risk' systems. Separately, Colorado itself repealed and replaced its original AI Act (SB 24-205) with SB 26-189 — signed May 14, 2026 and effective January 1, 2027 — which also abandoned the impact-assessment/risk-program model in favor of transparency obligations. So the two laws are no longer comparable on the old 'high-risk' framing.

What is the penalty for violating TRAIGA?

TRAIGA is enforced directly by the Texas Attorney General under the new statute (Tex. Bus. & Com. Code ch. 551-553) — not under the Deceptive Trade Practices Act. Penalties are tiered: $10,000-$12,000 per curable violation (or for breaching a statement to the AG that a violation was cured), $80,000-$200,000 per uncurable violation, and $2,000-$40,000 per day for continuing violations. There is no private right of action.

Effective

January 1, 2026

Enforcement

January 1, 2026

Max Penalty

Up to $200,000 per uncurable violation (AG-enforced, tiered)

Jurisdiction

US · Texas

Texas TRAIGA: What HR and Recruiting Teams Must Know

Texas HB 149 | Effective January 1, 2026 | Enforced exclusively by the Texas Attorney General

If you use AI to screen job candidates in Texas, you should understand what this law does and does not require — because a lot of the early commentary describes a version of the bill that never became law.

Texas TRAIGA — the Responsible AI Governance Act, enacted as HB 149 — took effect January 1, 2026. It is codified in the Texas Business & Commerce Code (chapters 551-553). It was one of the first comprehensive US state AI laws to go live; Colorado's law does not take effect until January 1, 2027.

Here is the single most important thing to know: the enacted TRAIGA is far narrower than the bill many compliance write-ups still describe. The original draft (HB 1709, and the December 2024 version) copied Colorado's "high-risk AI" model — mandatory impact assessments, risk management programs, consumer notices, and annual reporting to the Attorney General. The Texas legislature removed that entire framework in early 2025, before the bill passed. None of those deployer obligations exist in the law that actually took effect.

What survived is an intent-based prohibition statute: it bans a short list of clearly harmful AI uses, puts most disclosure duties on government agencies, and is enforced by the Texas AG with a 60-day cure period and tiered penalties. This guide focuses on what that means for HR and recruiting teams in practice.

What TRAIGA Actually Is (and Isn't)

TRAIGA does not create a "high-risk AI system" category, does not use the "consequential decision" or "substantial factor" concepts, and does not enumerate covered domains like employment, housing, or credit. Those are Colorado AI Act (SB 24-205) concepts that were cut from TRAIGA during the 2025 rewrite.

Instead, the enacted law works like this:

It prohibits developing or deploying AI with certain harmful intents (see below).
It imposes disclosure duties primarily on government agencies (with a separate health-care disclosure context), not on private employers.
It is enforced only by the Texas Attorney General — no private lawsuits.
It provides safe harbors (including substantial compliance with the NIST AI Risk Management Framework) and a regulatory sandbox.

For an HR team, the practical upshot is that TRAIGA does not require you to:

Conduct impact assessments on your hiring AI
Maintain a written AI risk management program
Send "AI was used" consumer notices with an opt-out and human-review alternative
File annual reports with the Texas Attorney General

If you read elsewhere that Texas requires these things, that source is describing the superseded draft. That said, the prohibition on intentional unlawful discrimination does reach employment AI, and existing federal and Texas anti-discrimination law continues to apply independently. TRAIGA is lighter than advertised — it is not a free pass.

The Prohibited AI Uses

The core of the enacted law (Tex. Bus. & Com. Code ch. 552) is a list of things you may not develop or deploy an AI system to do. The prohibitions are intent-based — the AG generally must show the developer or deployer acted with the prohibited intent.

TRAIGA prohibits developing or deploying an AI system:

With the intent to unlawfully discriminate against a protected class in violation of state or federal law. Crucially, the statute states that disparate impact alone is not sufficient to demonstrate intent to discriminate.
To incite or encourage a person to commit self-harm, harm to another person, or criminal activity (intentional behavioral manipulation).
With the sole intent of producing or distributing child sexual abuse material or unlawful sexually explicit deepfake content involving minors.
With the sole intent of infringing, restricting, or impairing rights guaranteed under the US Constitution.

Separately, the law bars government agencies from using AI for social scoring (evaluating or classifying people based on social behavior or personal characteristics in ways that lead to detrimental treatment) and restricts government use of AI-based biometric identification from publicly available sources without consent. There are also biometric-data provisions affecting commercial capture of identifiers (retina/iris scans, fingerprints, voiceprints, face/hand geometry) without informed consent, with several exceptions (for example, AI model training and certain security/fraud uses).

For HR: the discrimination prohibition is the one that touches hiring AI. Because it requires intent, a tool that happens to produce uneven outcomes is not automatically a TRAIGA violation. But knowingly building or deploying a system to discriminate against a protected class is. And disparate impact remains actionable under other laws even if it does not, by itself, prove intent under TRAIGA.

Who Must Comply

TRAIGA applies broadly to a person or entity that:

Promotes, advertises, or conducts business in Texas;
Produces a product or service used by Texas residents; or
Develops or deploys an AI system in Texas.

There is no small-business carve-out in the enacted law. (An earlier draft included a Colorado-style threshold tied to having fewer than a certain number of employees; that threshold belonged to the deployer-obligation framework that was removed, so it is not part of TRAIGA.) Because the enacted law imposes no impact-assessment or risk-program duties to begin with, there is nothing to "scale down" for smaller employers — the prohibitions apply to everyone within scope.

Disclosure Duties

This is one of the biggest differences between the enacted law and the draft many guides still describe.

Government agencies must clearly disclose to consumers when they are interacting with an AI system, at or before the point of interaction.
Health-care providers have a separate disclosure context for AI used in patient care.
Private employers have no TRAIGA disclosure obligation. There is no requirement to tell a candidate that AI was used, explain how it influenced a decision, or provide an opt-out with a human-reviewed alternative pathway. That opt-out regime existed only in the superseded draft.

Note that other laws may still require disclosure. NYC Local Law 144 has its own candidate-notice rule for automated employment decision tools used for NYC jobs, and Illinois and other states have their own AI-in-hiring rules. TRAIGA simply is not one of them for private employers.

TRAIGA vs. NYC Local Law 144

NYC Local Law 144 is a narrow, hiring-specific transparency rule. TRAIGA is a broad, intent-based prohibition statute. They overlap only loosely, and TRAIGA imposes fewer affirmative duties on employers than LL 144 does.

Requirement	NYC LL 144	Texas TRAIGA (enacted)
Core model	Transparency rule for automated employment decision tools (AEDTs)	Intent-based prohibitions on harmful AI uses
Geographic scope	AEDTs used for NYC employment decisions	Anyone doing business in TX, serving TX residents, or developing/deploying AI in TX
Bias audit	Annual independent bias audit, results published publicly	None required
Candidate notice	Required before using the tool in hiring	No private-employer notice requirement
Opt-out / alternative pathway	Limited accommodation process	None required
Impact assessment / risk program	None	None (removed before enactment)
Annual reporting	None	None
Penalties	$500-$1,500 per violation (per NYC DCWP)	$10,000-$12,000 (curable) / $80,000-$200,000 (uncurable) / $2,000-$40,000 per day (continuing)
Enforcement	NYC DCWP	Texas AG only; no private right of action
Cure period	None specified	60-day cure period before enforcement

The practical takeaway: if you have already done LL 144 work for NYC hiring, that does not "cover" Texas, and Texas does not add an impact-assessment or notice burden on top of it. What Texas adds is a prohibition on intentional discriminatory or harmful AI use, backed by a powerful AG enforcement tool.

Enforcement, the 60-Day Cure, and Penalties

Exclusive AG enforcement. TRAIGA is enforced directly by the Texas Attorney General under the new statute (Tex. Bus. & Com. Code ch. 551-553) — not under the Deceptive Trade Practices Act (DTPA). The AG can seek civil penalties, injunctive relief, attorney's fees, and court costs. There is no private right of action, so individuals cannot sue under TRAIGA. Consumer complaints are funneled to the AG through an online portal.

The 60-day cure period — the single most important procedural feature. Before bringing an enforcement action, the AG must give the alleged violator written notice. The recipient then has 60 days to cure the violation, explain how it was cured, and identify the changes made to internal policies to prevent recurrence. A timely, properly certified cure bars the civil action for that violation. This notice-and-cure step drives the entire penalty structure: whether a violation is treated as "curable" or "uncurable" determines which penalty tier applies.

Tiered penalties:

Tier	Penalty
Curable violation (uncured, or where the party breaches a statement to the AG that it cured)	$10,000-$12,000 per violation
Uncurable violation	$80,000-$200,000 per violation
Continuing violation (continues beyond the cure period without a proper statement to the AG)	$2,000-$40,000 per day

(Separate caps apply to state agencies.) Note how far this is from the "up to $10,000 per violation under the DTPA" figure that appears in outdated write-ups: the maximum is $200,000 per uncurable violation — twenty times higher — and the legal vehicle is the TRAIGA statute itself, not the DTPA.

Safe Harbors and the Regulatory Sandbox

The enacted law includes meaningful defenses, which the earlier draft framing tends to ignore.

Affirmative defenses / safe harbor. A person may avoid liability by showing, among other things, substantial compliance with the NIST AI Risk Management Framework (or another recognized risk-management framework), discovery and correction of a violation through internal or adversarial/red-team testing, compliance with state-agency guidance, or that the harm resulted from a third party's misuse. This makes adopting a recognized AI governance framework genuinely useful in Texas, even though the law does not mandate one.

Regulatory sandbox (Tex. Bus. & Com. Code ch. 553). TRAIGA establishes an AI Regulatory Sandbox Program administered by the Texas Department of Information Resources (DIR). Approved participants can test AI systems for a limited time — generally up to 36 months unless DIR finds good cause to extend — without obtaining certain licenses or regulatory authorizations, in exchange for filing confidential quarterly and annual reports on performance, risk mitigation, and stakeholder feedback. The AG generally cannot bring enforcement action against a participant for conduct within the scope of the approved test (the core prohibitions still apply). For companies developing novel AI products, the sandbox is worth evaluating.

What HR Teams Should Do Right Now

TRAIGA is in effect, but the to-do list is shorter than older guides suggest. Focus on what the enacted law actually reaches.

Inventory your AI hiring tools. Knowing what AI touches hiring, evaluation, and termination is still good practice — both for TRAIGA's discrimination prohibition and for other laws (LL 144, federal EEO law).

Confirm there is no intentional discrimination. TRAIGA bans deploying AI with intent to unlawfully discriminate. Make sure no one is configuring or using a tool to screen out protected classes, and document that your selection criteria are job-related.

Keep testing — and keep the records. Bias and adversarial testing is not mandated by TRAIGA, but it underpins the law's safe harbor (discovery/correction through internal testing) and supports your defense under other anti-discrimination laws. Disparate-impact testing remains important even though impact alone does not prove TRAIGA intent.

Consider adopting the NIST AI RMF. Substantial compliance with the NIST AI Risk Management Framework is an explicit affirmative defense. Aligning your AI governance to it is one of the highest-leverage steps available.

Do not over-build for requirements that do not exist. You are not required by TRAIGA to file impact assessments with the AG, run an annual AG report, or offer an AI opt-out with a human alternative. Build those only if another law (or your own policy) calls for them.

Get Texas-specific legal advice. Confirm scope, the cure-period mechanics, and how the discrimination prohibition interacts with your existing EEO compliance with counsel familiar with the enacted statute.

Compliance Timeline

Date	Milestone
Dec 2024 / HB 1709	Original Colorado-style draft (high-risk AI, impact assessments, deployer obligations) introduced
Early 2025	Draft rewritten as HB 149 — the Colorado-modeled high-risk framework is removed
June 22, 2025	TRAIGA (HB 149) signed into law by Governor Abbott
January 1, 2026	Law takes effect — prohibitions and disclosure duties enforceable
Ongoing	AG enforcement with 60-day cure; DIR regulatory sandbox open to applicants

Official Sources

Need help with TRAIGA compliance preparation? Browse AI governance consultants

Stay ahead of AI compliance changes

Get weekly regulation updates, enforcement news, and compliance deadlines — free.

Texas Responsible AI Governance Act (TRAIGA).