When people talk about “state AI law” in the United States, the conversation almost always starts with Colorado — the first state to pass a comprehensive, risk-based AI statute. But the law that is actually in force right now, governing AI used by businesses operating in the second-largest state economy in the country, is not Colorado’s. It is Texas’s.

The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), signed by Governor Abbott on June 22, 2025, took effect on January 1, 2026. Colorado’s law, by contrast, was amended in 2026 and its operative date pushed to January 1, 2027. So as of mid-2026, the binding, enforceable comprehensive state AI regime in the U.S. is the Texas one — and it is built on a fundamentally different philosophy than the Colorado model that dominates the discourse. If your AI governance program was designed around Colorado, it may be calibrated to the wrong test. This article is the companion to our Colorado AI Act coverage; read them together, because the differences are the whole point.

Intent-based, not impact-based: the defining distinction

The single most important thing to understand about TRAIGA is the question it asks. Colorado’s law is impact-based: it asks whether your high-risk AI system could cause algorithmic discrimination, regardless of your intent, and requires you to identify, assess, and manage that foreseeable risk. TRAIGA is intent-based: it asks whether you intentionally deployed AI to discriminate, manipulate, or harm.

That distinction has enormous practical consequences. Under TRAIGA, disparate impact alone is not sufficient to demonstrate intent to discriminate. A model that produces statistically unequal outcomes across protected classes is not, by that fact alone, a TRAIGA violation — the state must show you intended the discriminatory result. This is a materially lower compliance burden than Colorado’s “reasonable care to avoid foreseeable discrimination” standard, and it reflects a deliberate, business-friendlier policy choice by the Texas legislature.

But “lower burden” is not “no burden,” and the intent framing creates its own traps — particularly around documentation, because the things you write down about why you deployed a system become evidence of intent.

What TRAIGA prohibits

TRAIGA’s core operative provisions are a set of prohibited uses. It bars developing or deploying AI systems:

  • With the intent to manipulate human behavior to incite or encourage self-harm, harm to another person, or criminal activity
  • With the intent to discriminate against a protected class in violation of state or federal civil rights law (with the disparate-impact carve-out noted above)
  • For the sole intent of producing or distributing child sexual abuse material or certain unlawful sexually explicit deepfake content
  • In ways that infringe constitutional rights

It also imposes a government-specific prohibition: state agencies may not use AI to assign “social scores” based on social behavior that could result in detrimental treatment — a direct echo of the EU AI Act’s social-scoring ban, scoped to Texas government.

What it requires for high-risk systems

For high-risk AI systems — those that make, or are a substantial factor in, consequential decisions affecting employment, education, healthcare, housing, insurance, financial services, or government services — TRAIGA layers on affirmative obligations:

  • Impact assessments for high-risk deployments
  • Transparency disclosures about the system’s use
  • Clear notice to consumers when high-risk AI is used to make a consequential decision about them
  • Governance programs and ongoing human oversight

Government entities carry an additional, stricter duty: they must disclose to consumers that they are interacting with an AI system before or at the point of interaction, regardless of whether the system is high-risk.

Note what is absent compared to many expectations: TRAIGA does not require private employers to disclose AI use to job applicants or employees in the way some had feared. The mandatory consumer-facing AI-interaction disclosure falls primarily on state agencies and, in treatment contexts, healthcare providers.

Enforcement: AG-only, a real cure period, and steep uncurable penalties

TRAIGA is enforced exclusively by the Texas Attorney General. There is no private right of action — a sharp contrast to the path Massachusetts is taking with its private-right-of-action privacy bill, and a reassurance to businesses worried about litigation exposure.

Critically, the AG must provide notice and a 60-day cure period before pursuing enforcement. This is a genuine safe valve — most violations can be fixed without penalty if addressed within the window. The penalty structure rewards curing and punishes willful non-compliance:

  • Curable violations not cured: $10,000–$12,000 per violation
  • Uncurable violations: $80,000–$200,000 per violation
  • Continuing violations: $2,000–$40,000 per day

The gap between a cured violation (zero) and an uncurable one (up to $200,000) is the entire enforcement design. It is built to drive remediation, not to generate revenue from technical slip-ups.

The safe harbor that should shape your whole program

Here is the provision that makes TRAIGA compliance tractable, and that every covered organization should build around. TRAIGA grants an affirmative defense to organizations that:

  • Substantially comply with the most recent NIST AI Risk Management Framework (AI RMF), or another recognized framework
  • Discover the violation through internal testing, red-teaming, or adversarial evaluation
  • Follow guidance issued by applicable state agencies
  • Act on feedback from documented internal review processes

This is a clear, documented path to protection. Unlike Colorado — which requires “reasonable care” but names no specific framework, leaving deployers to guess — Texas tells you exactly what good looks like: implement the NIST AI RMF, test your systems, and keep the records. An organization that adopts the AI RMF as its governance backbone is not only positioned for TRAIGA; it is positioned for the EU AI Act, for Colorado when it arrives in 2027, and for the federal procurement expectations converging on the same framework.

What to do now

TRAIGA is live, so this is not a planning exercise — it is a compliance posture you should already hold:

  1. Adopt the NIST AI RMF as your governance standard and document it. The affirmative defense is the most valuable thing in the statute. Map your AI governance program to the AI RMF’s Govern/Map/Measure/Manage functions and keep dated evidence of conformance.
  2. Inventory high-risk systems by Texas’s definition. Anything that is a substantial factor in consequential decisions on employment, credit, housing, insurance, healthcare, education, or government services is in scope and triggers impact assessments, notice, and oversight.
  3. Stand up the consumer-notice mechanism. Where high-risk AI drives a consequential decision, the affected consumer must be told. Build the disclosure into the decision workflow, not as an afterthought.
  4. Mind the intent trail. Because TRAIGA is intent-based, internal communications about why you deployed a system matter. Train teams that documentation framing a model’s purpose as manipulative or discriminatory is precisely the evidence the standard turns on.
  5. Build a red-team / internal-testing function. Discovering violations through your own adversarial testing is itself part of the affirmative defense. Make it a standing process, not a one-time audit.
  6. Use the 60-day cure period as a design assumption — but don’t rely on it for uncurable conduct. Prohibited uses (intentional manipulation, intentional discrimination, unlawful deepfakes) are the ones that escalate to the $80k–$200k tier. Cure protects sloppiness, not intent.

The headline lesson is simple: the most-discussed state AI law (Colorado) is not yet in force, and the one that is (Texas) runs on a different engine. If you operate in Texas and your AI governance was built to Colorado’s impact-based, framework-agnostic model, you are simultaneously over-engineered for the wrong test and possibly under-documented for the safe harbor that actually protects you. Re-baseline to TRAIGA, anchor on the NIST AI RMF, and you cover both states at once.

This article is provided for informational purposes only and does not constitute legal advice.