Six months ago, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) went into effect. In those six months, no one has been sued under it. No penalties have been assessed. The AI Advisory Council hasn't issued guidance. The regulatory sandbox hasn't announced participants. By the usual measures of a new regulatory regime, nothing has happened.
What has happened is more consequential than any single enforcement action. The AG's office has continued building an AI enforcement apparatus using laws that predate TRAIGA. The federal government has launched a systematic effort to dismantle state AI regulation. And TRAIGA's distinctive design—the very thing that makes it look quiet—has positioned it to outlast laws that appear far more aggressive on paper.
Advising Clients on Compliance
The law your clients are complying with almost didn't exist in this form. Rep. Giovanni Capriglione filed the original version as HB 1709 in December 2024, a comprehensive risk-based framework modeled after Colorado's AI Act and the EU AI Act, with impact assessments, bias-testing mandates, and broad private sector disclosure obligations.
The Trump administration's pro-innovation posture and industry pushback killed that approach. Capriglione re-filed a stripped-down version as HB 149 in March 2025. What Gov. Abbott signed is an intent-based prohibition model: no impact assessments, no mandatory bias testing, no required output modifications. Categorical prohibitions on intentionally harmful uses enforced exclusively by the AG with a 60-day cure period and penalties between $10,000 and $200,000 per violation.
That legislative pivot now has consequences beyond Texas. President Trump's December 2025 Executive Order created a DOJ AI Litigation Task Force to challenge state AI laws that compel alterations to truthful outputs or mandate bias testing.
TRAIGA doesn't trigger those vulnerabilities. It prohibits conduct rather than prescribing process. That makes compliance work built around it a more durable investment than equivalent work under Colorado or California's regimes.
The concrete starting point is the NIST AI Risk Management Framework, specifically noted in Texas law. Companies that substantially comply, or that discover violations through internal testing and red-teaming, receive a rebuttable presumption of reasonable care.
Clients may ask whether the NIST framework carries weight after Trump revoked Biden's AI executive order. It does. It exists as an independent, voluntary standard. The AG and Texas courts don't look to Washington to determine whether a TRAIGA safe harbor applies.
But the safe harbor only works with documentation to back it up. TRAIGA doesn't mandate recordkeeping, but it does authorize the AG to issue a civil investigative demand (CID) requesting system purpose, training data, inputs and outputs, performance metrics, known limitations, and post-deployment safeguards.
A company with nothing documented has no defense and 60 days to build one. Tell clients to start building that paper trail now, organized around those CID categories.
The AG's office has already shown what adequate documentation looks like. The September 2024 Pieces Technologies settlement, reached under the Deceptive Trade Practices Act (DTPA) before TRAIGA existed, required clear disclosure of accuracy metrics with supporting methodology, a prohibition on misrepresenting capabilities, and customer documentation covering training data, intended purpose, use protocols, and known limitations.
Those terms map almost exactly to TRAIGA's CID categories. Treat them as the baseline.
That settlement also illustrates a broader pattern. The AG opened investigations into Meta AI Studio and Character.AI for allegedly marketing chatbots as mental health tools to children. The $1.4 billion Meta biometric data settlement showed the office will pursue outcomes at scale.
This AG treats AI as a consumer protection enforcement priority and doesn't need TRAIGA to act on it. The DTPA carries its own penalties and a lower proof threshold than TRAIGA's intent standard. A client that avoids every TRAIGA prohibition can still face a DTPA investigation if its marketing or accuracy claims are deceptive. Advise against both statutes.
One tension to flag: TRAIGA says disparate impact alone doesn't prove discriminatory intent. It also says its provisions should be "broadly construed and applied" to protect consumers. Those directives point in opposite directions. The first AG investigation involving biased outcomes and a developer claiming clean intent will force Texas courts to reconcile them. Until then, the safe harbor documentation is the strongest protection available.
The Risk Your Firm Hasn't Assessed
TRAIGA applies to any entity that deploys an AI system in Texas, produces a product or service used by Texas residents, or conducts business in the state. The statute defines "artificial intelligence system" as any machine-based system that infers from inputs how to generate outputs that can influence environments. Law firms using AI-powered contract analysis, legal research platforms, document review software, or client-facing chatbots are deployers under this definition.
Three specific risks follow.
First, if a firm uses AI in hiring or personnel decisions, the intentional discrimination prohibition applies to those internal operations. A firm using an AI screening tool to filter associate candidates or evaluate staff performance has the same TRAIGA exposure as any other employer deploying AI in workforce decisions.
Second, if a firm markets AI-assisted services and makes claims about those tools' reliability, it faces the same DTPA exposure the AG pursued in Pieces. A firm telling clients its AI research tool delivers accurate, comprehensive results is making an accuracy representation no different from a healthcare AI company claiming low hallucination rates.
Most firms making these representations haven't thought about them through a consumer protection lens. They should. The AG has already established that inflated AI accuracy claims in professional services contexts are enforceable under existing law.
Third, the biometric data provisions apply to any AI system using facial recognition, voiceprint analysis, or similar identifiers. Firms using AI-powered identity verification in client intake or know-your-customer processes should review whether their systems capture biometric data that triggers TRAIGA's consent requirements.
The safe harbor works identically for law firms. NIST alignment and documented internal testing protocols create the same rebuttable presumption. Start with an inventory: catalog every AI tool the firm uses, map each one against TRAIGA's prohibited uses, and document the intended purpose and known limitations. That's the foundation of a defensible position and it doubles as the kind of AI governance documentation that sophisticated clients increasingly expect to see during engagement conversations.
Looking Ahead
With no Texas legislative session until 2027, TRAIGA won't change. The Advisory Council has no rulemaking authority and hasn't issued guidance. The sandbox hasn't announced participants. The statute your clients are living under today is the statute they'll be living under two years from now.
The open question is whether TRAIGA becomes a model or an outlier. If the DOJ Task Force successfully challenges Colorado's prescriptive framework while TRAIGA's prohibition model survives—a plausible outcome given their structural differences—other states will take notice. At least a dozen are considering AI legislation for 2026 and 2027.
A prohibition-based approach that withstands federal scrutiny, carries meaningful penalties, and gives businesses enough room to operate is an attractive template. Texas lawyers advising on TRAIGA compliance today may be building the playbook the rest of the country eventually follows.
