Does the Texas AI Law
Apply to My Business?
A plain-English TRAIGA guide for small and midsize businesses — applicability checker, disclosure rules, penalties, examples, and final-law-vs-draft matrix.
By Subodh KC · July 15, 2026 · 30 min read
Last legally reviewed: July 15, 2026
Law reviewed: Texas Business & Commerce Code Chapters 551\u2013554, enacted through HB 149
Effective date: January 1, 2026
Educational notice: This guide explains the statute in practical terms. Applicability can depend on facts, contracts, industry rules, and other federal or state laws. It is not a substitute for legal advice.
Table of Contents
Synopsis
The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted through HB 149 and effective January 1, 2026, can apply to businesses of any size — but it is narrower than most commentary suggests. There is no small-business exemption, no general registration requirement, no mandatory impact assessment, and no universal private-chatbot disclosure rule. The law targets specific prohibited conduct (harm, crime, discrimination, illegal content), healthcare AI disclosure, biometric compliance, and Attorney General enforcement with a 60-day cure period. This guide explains what the final statute actually says, what it does not say, and what small and midsize businesses should do about it.
For the full statutory compliance guide with section-by-section analysis, see the Texas AI Law (TRAIGA / HB 149) Compliance Guide.
The Direct Answer
The Texas Responsible Artificial Intelligence Governance Act, commonly called TRAIGA, can apply to businesses of any size.
The final law does not contain an express small-business exemption or minimum revenue threshold. Its scope includes persons conducting business in Texas, producing products or services used by Texas residents, or developing or deploying an AI system in Texas.
That does not mean every small business using ChatGPT, an AI receptionist, or an automated marketing tool must register its AI, conduct an annual impact assessment, or disclose every chatbot.
The final law is broad in potential reach but comparatively narrow in the commercial conduct it directly regulates.
For most private businesses, TRAIGA focuses on:
- Intentional encouragement of self-harm, harm to others, or crime
- Intentional unlawful discrimination
- AI intended to impair federal constitutional rights
- Certain illegal sexual, deepfake, and child-related content
- Healthcare AI disclosure
- Biometric-data compliance
- Documentation that may be requested during an Attorney General investigation
The practical rule: Do not ask only, “Does my company use AI?” Ask, “What is the AI doing, whose data does it use, who may be affected, and which decisions or actions can it influence?”
Texas AI Law at a Glance
| Question | Plain-English answer |
|---|---|
| What is the law called? | Texas Responsible Artificial Intelligence Governance Act, or TRAIGA |
| Which bill enacted it? | House Bill 149 |
| When did it take effect? | January 1, 2026 |
| Can it apply to small businesses? | Yes. The final text contains no express small-business exemption |
| Does every private chatbot require disclosure? | No, not under TRAIGA as a general rule |
| Is healthcare AI disclosure required? | Yes, when AI is used in relation to healthcare services or treatment |
| Are annual AI impact assessments generally required? | No |
| Does Texas classify private systems as “high-risk AI”? | Not under the final TRAIGA framework |
| Can consumers sue directly under TRAIGA? | No. TRAIGA creates no private right of action |
| Who enforces it? | The Texas Attorney General, with limited additional sanctions by licensing agencies |
| Is there a cure period? | Generally, 60 days after written notice |
| Maximum stated penalty for an uncurable violation? | $200,000 for each violation |
| Can continuing violations create daily penalties? | Yes, up to $40,000 per day |
The Texas Legislature lists January 1, 2026, as the effective date, and the Attorney General\u2019s current guidance identifies the prohibited practices, disclosure requirements, penalties, and complaint mechanism.
What Counts as an AI System Under Texas Law?
TRAIGA defines an AI system as a machine-based system that infers from its inputs how to generate outputs\u2014including content, decisions, predictions, or recommendations\u2014that can influence physical or virtual environments.
That definition can include more than generative chatbots.
Likely examples
- AI website chatbot
- AI phone receptionist
- Resume-ranking system
- Predictive fraud model
- Recommendation engine
- Generative image or video tool
- Clinical decision-support system
- Customer-scoring model
- Automated content generator
- Facial or voice identification system
- Agent that calls APIs or performs business actions
- AI system that recommends prices, treatments, products, or decisions
Systems that may not qualify
Ordinary deterministic software may fall outside the definition when it follows fixed rules without inferring how to generate decisions, predictions, recommendations, or content.
- Basic calculator
- Static decision tree
- Traditional form validation
- Fixed “if–then” workflow
- Standard database lookup
- Non-adaptive scheduling rules
The distinction is not whether a vendor markets a product as “AI.” The question is how the system actually produces its outputs.
Does TRAIGA Apply to Out-of-State Businesses?
Potentially.
The statute is not limited to companies incorporated or headquartered in Texas. It reaches a person who:
- Promotes, advertises, or conducts business in Texas;
- Produces a product or service used by Texas residents; or
- Develops or deploys an AI system in Texas.
An out-of-state SaaS company selling an AI product to Texas customers may therefore fall within the statutory scope.
The next question is whether a particular TRAIGA duty or prohibition is triggered.
Being within the law\u2019s scope does not mean every provision applies to every system.
Quick TRAIGA Applicability Checker
This checker provides a preliminary classification. It is designed to identify issues requiring further review, not to provide a legal conclusion.
Quick TRAIGA Applicability Checker
This checker provides a preliminary classification. It is designed to identify issues requiring further review, not to provide a legal conclusion.
Educational notice: Applicability can depend on facts, contracts, industry rules, and other federal or state laws. This is not a substitute for legal advice.
What Private Businesses Actually Need to Watch
1. AI designed to encourage harm or criminal activity
Example
A general customer-support assistant is not prohibited merely because a user asks a harmful question. The concern is whether the system is intentionally designed or deployed to encourage that conduct.
Practical control: test whether the system gives actionable self-harm instructions, encourages violence, assists criminal planning, escalates vulnerable users toward harmful conduct, or uses manipulative engagement to prolong harmful conversations.
2. Intentional unlawful discrimination
Example
A staffing business deliberately configures a resume-ranking tool to reject applicants over a particular age. That presents a much clearer TRAIGA issue than an unintentional statistical disparity discovered during testing.
Important distinction: The TRAIGA intent standard does not eliminate obligations under other employment, lending, housing, healthcare, or civil-rights laws. Those laws may use different liability standards.
Practical controls: test decision outcomes by relevant groups, document the intended decision logic, remove protected attributes and close proxies, maintain human review for consequential decisions, investigate unexplained disparities, and record corrections and approvals.
3. Constitutional-rights interference
Example
A social-media content-moderation AI that is solely designed to suppress lawful political speech would be closer to this prohibition than a general-purpose AI that occasionally flags content under a vendor’s standard policy.
Practical control: document the system’s intended purpose, review moderation rules for viewpoint neutrality, maintain human appeal channels, and avoid configurations whose sole function is to restrict protected expression.
4. Illegal sexual, deepfake, and child-related content
Example
A companion-chatbot platform that allows users to generate explicit content impersonating minors would fall squarely within this prohibition. A general-purpose image generator with safety filters and age-gating is not the same as a system intentionally designed for that purpose.
Practical controls: implement content filters, age verification, minor-safety guardrails, impersonation protections, reporting mechanisms, and human review of flagged outputs.
Does Every Private AI Chatbot Require Disclosure?
No\u2014not under TRAIGA as a general rule.
The general consumer-interaction disclosure in Section 552.051 applies to a governmental agency that makes an AI system available to interact with consumers. A separate provision applies when AI is used in relation to healthcare services or treatment.
HVAC company with an AI receptionist
Retail website chatbot
City-government chatbot
Medical-practice assistant
Do not copy a blanket statement saying “Texas requires every chatbot to identify itself.” The final law does not say that.
Healthcare AI Requirements
Healthcare requires separate analysis because TRAIGA overlaps with another Texas law enacted in 2025.
TRAIGA healthcare disclosure
When an AI system is used in relation to a healthcare service or treatment, the provider must disclose the use to the recipient or the recipient\u2019s representative no later than the date the service or treatment is first provided. In an emergency, disclosure must be made as soon as reasonably possible.
Texas SB 1188 diagnostic-AI requirements
A separate law, SB 1188, permits a healthcare practitioner to use AI for diagnostic purposes\u2014including recommendations concerning diagnosis or treatment based on a patient\u2019s medical record\u2014when the practitioner acts within scope, the use is not otherwise prohibited, and the practitioner reviews AI-created records consistently with Texas Medical Board standards. The practitioner must also disclose diagnostic AI use to patients.
Healthcare scenarios
| Use case | Practical interpretation |
|---|---|
| AI only schedules appointments | TRAIGA’s healthcare-treatment wording may require fact-specific review; ordinary scheduling is less clearly a treatment use |
| AI answers general office-hours questions | Likely closer to administrative support than clinical decision support |
| AI drafts a clinical note | Review, medical-record accuracy, PHI security, and disclosure questions arise |
| AI recommends a diagnosis | SB 1188 directly addresses diagnostic AI and patient disclosure |
| AI recommends treatment | Practitioner scope, review, disclosure, and medical-record controls apply |
| AI summarizes a patient record | PHI, accuracy, access, vendor, and human-review controls are critical |
| AI triages emergency symptoms | High safety impact; disclosure, escalation, clinical oversight, and other healthcare law require review |
Healthcare organizations must also evaluate HIPAA, Texas medical-privacy laws, medical-record rules, professional licensing standards, contracts, and security requirements. TRAIGA compliance alone does not establish healthcare compliance.
Biometrics and AI
Texas already regulated commercial biometric identifiers through Business & Commerce Code Section 503.001. HB 149 amended that law and connected violations of Section 503.001 to TRAIGA\u2019s biometric provision.
Biometric identifiers include
- Retina or iris scans
- Fingerprints
- Voiceprints
- Records of hand or face geometry
The mere existence of an image or other media on the internet does not automatically establish notice and consent for commercial biometric capture unless the individual made the material publicly available.
AI-training treatment
The amended biometric statute contains an exclusion for training, processing, or storing biometric identifiers to develop, train, evaluate, disseminate, or offer AI models or systems\u2014unless the system is used to uniquely identify a specific individual. If an identifier collected for AI training is later used for another commercial purpose, the law\u2019s possession, destruction, and penalty provisions may apply.
Small-business scenarios
Gym using facial recognition for entry
Call center using voiceprints for identity verification
Retailer analyzing security-camera images
Employer using fingerprint time clocks
Hiring and Employee AI
The TRAIGA definition of “consumer” excludes an individual acting in an employment or commercial context. That does not mean employment AI is automatically outside the entire law.
The unlawful-discrimination prohibition applies broadly to a person developing or deploying AI with discriminatory intent.
A Texas employer uses AI to:
- Rank resumes
- Score interviews
- Analyze employee behavior
- Recommend promotion
- Identify workers for termination
TRAIGA does not impose a general Texas applicant-notice, annual bias-audit, or impact-assessment requirement on these systems. However:
- Intentional unlawful discrimination is prohibited.
- Federal and Texas employment laws remain relevant.
- Biometric rules may apply to voice, facial, or fingerprint analysis.
- Employee monitoring can create privacy and labor concerns.
- Vendor documentation and human review remain prudent.
TRAIGA is not the complete employment-AI rulebook.
The Final Law Versus Earlier Drafts
Texas AI commentary is unusually confusing because at least three different documents are often treated as though they were the same law.
Stage 1: Circulated pre-filing policy draft
Stage 2: Official introduced HB 149
Stage 3: Final enacted law
Final-law comparison matrix
| Issue | Circulated pre-filing proposal | Official introduced HB 149 | Final enacted TRAIGA |
|---|---|---|---|
| High-risk AI classification | Included | Not included | Not included |
| General impact assessments | Included | Not included | Not included |
| Express small-business exemption | Discussed | Not included | Not included |
| General private chatbot notice | Broad summaries created confusion | Government disclosure; healthcare less developed | Government disclosure plus healthcare-service/treatment disclosure |
| Consumer appeal and explanation right | Part of broader discussions | Included for certain adverse AI decisions | Removed |
| Political-viewpoint discrimination | Present in early approaches | Included | Removed; replaced by narrower federal constitutional-rights provision |
| Deceptive-practices manipulation | Included in broader proposal | Included | Removed as standalone TRAIGA provision |
| Unlawful discrimination | Broader governance framework | Intent-based; disparate impact alone insufficient | Intent-based prohibition retained |
| Cure period | Earlier summaries described 30 days | 60 days | 60 days |
| AI risk-framework defense | Broader compliance language | NIST, ISO 42001, or recognized framework tied to discovery and cure | Revised non-liability language referencing feedback, testing, guidance, or internal review with substantial NIST or other framework compliance |
| Consumer private lawsuit | Proposed materials varied | No broad private enforcement mechanism | Expressly no private right of action |
Do not use an article about the 2024 pre-filing proposal as evidence of what Texas businesses must do under the 2026 law.
What Documentation Can the Attorney General Request?
TRAIGA does not require every company to file an annual AI impact assessment. However, after receiving a complaint, the Attorney General may issue a civil investigative demand and request extensive system documentation.
The requested information can include:
- A high-level description of the system’s purpose
- Intended uses
- Deployment context
- Associated benefits
- Types of data used to program or train the system
- Categories of input data
- Categories of outputs
- Performance metrics
- Known limitations
- Post-deployment monitoring
- User safeguards
- For deployers, oversight, use, and learning processes
- Other relevant documents reasonably necessary for the investigation
TRAIGA may not mandate a formal impact assessment for every business, but it authorizes the Attorney General to request much of the information that a responsible AI assessment would normally contain. A business should therefore maintain a concise AI System Record.
Minimum AI System Record
| Field | What to document |
|---|---|
| System name | Product and internal name |
| Business owner | Person accountable for the use case |
| Technical owner | Person responsible for implementation |
| Role | Developer, deployer, or both |
| Purpose | Business problem the AI addresses |
| Users | Employees, consumers, patients, customers, or public |
| Decisions influenced | Recommendations, approvals, rankings, actions |
| Data used | Input, training, customer, personal, biometric, or health data |
| Outputs | Content, scores, decisions, predictions, or actions |
| Vendor/model | Provider, model, version, and hosting |
| Known limitations | Accuracy, bias, hallucination, latency, or coverage |
| Human oversight | Reviewer, approval point, and escalation |
| Testing | Safety, discrimination, security, and performance tests |
| Monitoring | Incidents, complaints, drift, failures, and user feedback |
| Safeguards | Access, filters, moderation, logging, and tool restrictions |
| Disclosures | Whether notice is required or voluntarily provided |
| Retention | How long prompts, outputs, and evidence are retained |
| Incident owner | Who handles complaints and suspected violations |
This is the strongest practical foundation for a Texas small-business AI compliance program.
Enforcement, Cure Period, and Penalties
The Texas Attorney General has exclusive authority to enforce TRAIGA, except for limited additional licensing-agency sanctions after the required findings and recommendation. TRAIGA expressly states that it does not create a private right of action.
Enforcement process
TRAIGA Enforcement Flow
Figure 1 \u2014 The AG must generally give written notice and wait 60 days before bringing an enforcement action.
Before bringing an action, the Attorney General generally must give written notice identifying the alleged violation and wait 60 days. An action may be avoided when the business cures the violation within the period, provides a written statement confirming the cure, supplies supporting documentation, and makes necessary policy changes reasonably designed to prevent recurrence.
Civil penalties
Curable violation or breach of cure statement
Uncurable violation
Continuing violation
The Attorney General may also seek injunctive relief, attorney\u2019s fees, court costs, and investigative expenses. Certain licensed or regulated persons may also face agency sanctions\u2014including license suspension or revocation and monetary penalties of up to $100,000\u2014after a TRAIGA violation is found and the Attorney General recommends additional enforcement.
Is NIST Compliance a TRAIGA Safe Harbor?
Calling it a blanket safe harbor is too broad.
The final law provides circumstances in which a defendant may not be found liable, including when another person misuses the affiliated AI system or when the defendant discovers a violation through feedback, adversarial or red-team testing, state-agency guidance, or an internal review process while substantially complying with the NIST Generative AI Profile or another nationally or internationally recognized AI risk-management framework.
The provision is not written as automatic immunity for every company that says it follows NIST.
Substantial alignment with a recognized AI risk framework, combined with effective testing, feedback, review, and remediation processes, can strengthen a TRAIGA defense. It does not replace compliance with the statute.
NIST\u2019s AI Risk Management Framework organizes AI risk activities through four functions: Govern, Map, Measure, and Manage. Its Generative AI Profile adapts those activities to risks associated with generative systems.
NIST-Lite Framework for Small Businesses
Figure 2 \u2014 A practical four-function approach adapted for small organizations.
A small company does not need to imitate a Fortune 100 governance office. It does need to demonstrate deliberate ownership and reasonable controls.
Practical Business Scenarios
AI receptionist for a local service company
Likely TRAIGA position: The company may be a deployer. No general private-chatbot disclosure requirement exists under TRAIGA. The system must not intentionally encourage harm, crime, or unlawful discrimination.
Recommended controls:
- Identify the business clearly
- Consider voluntarily identifying the system as AI
- Restrict emergency, legal, financial, or medical advice
- Define escalation to a human
- Control appointment, payment, and transfer tools
- Retain call and action evidence appropriately
Medical or dental office using AI
Likely TRAIGA position: Healthcare disclosure may apply when AI is used in relation to healthcare service or treatment. Diagnostic AI can trigger additional requirements under SB 1188. Medical-record and privacy rules also apply.
Recommended controls:
- Patient disclosure
- Practitioner review
- PHI and vendor controls
- Role-based access
- Output verification
- Clinical escalation
- Audit evidence
Staffing company using resume-ranking AI
Likely TRAIGA position: The employment context is excluded from the definition of “consumer.” The intent-based unlawful-discrimination prohibition can still apply. TRAIGA does not impose a general bias audit or applicant notice.
Recommended controls:
- Human review
- Outcome testing
- Documented job criteria
- Proxy-variable review
- Vendor transparency
- Existing employment-law analysis
Retailer using facial recognition
Likely TRAIGA position: Texas biometric law and TRAIGA’s biometric provision may apply. Public images alone do not necessarily establish consent. Unique identification creates greater risk than ordinary image analysis.
Recommended controls:
- Written consent analysis
- Narrow purpose
- Retention and destruction schedule
- Vendor restrictions
- Access controls
- Alternative process for customers who decline
SaaS company selling an AI assistant
Likely TRAIGA position: The company may be a developer if the system is provided in Texas. Customers may separately be deployers. There is no universal registration or impact-assessment requirement.
Recommended controls:
- System documentation
- Clear intended-use boundaries
- Customer configuration guidance
- Prohibited-use controls
- Safety testing
- Monitoring
- Contract allocation of responsibilities
Marketing agency using generative AI
Likely TRAIGA position: Ordinary drafting and content generation do not automatically create a special TRAIGA filing or disclosure obligation. Risk increases when the agency generates deceptive impersonations, illegal sexual deepfakes, discriminatory targeting, harmful or criminal instructions, or unauthorized biometric identification.
Recommended controls:
- Human review
- Rights and consent checks
- Deepfake and impersonation policy
- Approved data use
- Client disclosure where contractually required
- Records of high-risk campaigns
Ten-Step TRAIGA Readiness Plan for Small Businesses
A structured version of this process can be delivered through the HAIEC Texas AI Readiness Assessment, including applicability analysis, system inventory, disclosure review, prohibited-use testing, evidence gaps, and a cure-response package.
Inventory the AI
- Public AI tools
- Employee AI tools
- Embedded vendor AI
- Automated decision systems
- AI voice and chat
- Biometric systems
- Agents and tool-calling workflows
Assign an owner
- Business owner
- Technical owner
- Vendor owner
- Incident contact
Determine your role
- Developer
- Deployer
- Both
- Customer of a third-party system
Classify the use case
- Healthcare
- Employment
- Biometrics
- Children
- Protected classes
- Public services
- Financial or insurance decisions
- Safety
- Constitutional rights
Map the data
- Inputs
- Outputs
- Personal information
- Health information
- Biometric information
- Sensitive business data
- Retention and sharing
Review disclosures
- Required by TRAIGA
- Required by another law
- Required by contract
- Recommended for trust
- Not relevant
Test prohibited behavior
- Self-harm and violence
- Criminal assistance
- Discrimination
- Deepfake and sexual content
- Child-safety failures
- Constitutional-rights concerns
- Unauthorized tool actions
Document limitations and oversight
- Known failure modes
- Human review
- Escalation
- Approval points
- Monitoring
- Corrective action
Prepare for complaints
- Complaint intake
- Investigation owner
- Evidence-preservation procedure
- Vendor-notification process
- Remediation workflow
- Executive escalation
Prepare a 60-day cure-response package
- Alleged issue
- Root cause
- Affected users
- Immediate containment
- Corrective action
- Supporting test evidence
- Policy changes
- Recurrence-prevention controls
- Responsible owner and due date
Frequently Asked Questions
Does the Texas AI law apply to small businesses?
Is there a revenue threshold under TRAIGA?
Does using ChatGPT make my company subject to TRAIGA?
Do I have to register my AI system with Texas?
Does Texas require an AI impact assessment?
Does my private website chatbot need an AI disclosure?
Should a private business disclose its AI chatbot voluntarily?
Does an AI phone receptionist need disclosure in Texas?
Does TRAIGA apply to employee hiring tools?
Does TRAIGA require a bias audit?
Is disparate impact a TRAIGA violation?
Does TRAIGA apply to healthcare AI?
Does HIPAA replace TRAIGA?
Does TRAIGA regulate facial recognition?
Is an ordinary photograph considered biometric data?
Can consumers sue my business directly under TRAIGA?
What happens if someone files a TRAIGA complaint?
What are the penalties?
Does NIST compliance guarantee immunity?
What is the minimum documentation a small business should maintain?
How often should TRAIGA compliance be reviewed?
Official Source Hierarchy
For future updates, use this order:
Current Texas Business & Commerce Code
Enrolled HB 149 text
Texas Attorney General TRAIGA guidance
Texas Department of Information Resources guidance
Enrolled related statutes, including SB 1188
NIST AI Risk Management Framework
Secondary legal commentary
Do not rely on an article about a pre-filing proposal without checking whether the discussed provision survived into the final law.
Final Takeaway
Texas did not enact a Colorado-style comprehensive high-risk AI governance regime. It enacted a more targeted law.
TRAIGA can reach small and midsize businesses, but it does not require every company using AI to register, complete an annual impact assessment, or identify every private chatbot.
The real compliance work is more practical:
- Know which AI systems you use.
- Understand what they do.
- Identify sensitive and regulated use cases.
- Prevent prohibited conduct.
- Disclose healthcare AI where required.
- Control biometric information.
- Test consequential systems.
- Maintain enough evidence to respond to a complaint.
- Correct problems quickly.
The best first step is not a 100-page policy. It is an accurate AI inventory and a clear answer to five questions:
- What is the system intended to do?
- What data does it use?
- Who can be affected?
- What decisions or actions can it influence?
- What evidence proves it is being used responsibly?
That is the foundation of TRAIGA readiness\u2014and responsible AI governance more broadly.
AI Governance & Compliance Framework Guide
This guide is for informational purposes and does not constitute legal advice. Applicability can depend on facts, contracts, industry rules, and other federal or state laws. For jurisdiction-specific compliance guidance, contact Subodh KC for advisory services. Last legally reviewed: July 15, 2026. Law reviewed: Texas Business & Commerce Code Chapters 551\u2013554, enacted through HB 149.