TRAIGA Is Live: What Texas Businesses Using AI Must Fix Before the AG Complaint Portal Opens September 1, 2026

Governor Abbott signed TRAIGA into law on June 22, 2025. It is one of the broadest state AI laws in the country, and it does not care how big you are or where your headquarters sits. The law reaches anyone who:

• Promotes, advertises, or conducts business in Texas;
• Produces a product or service used by Texas residents; or
• Develops or deploys an AI system in Texas.

Read that again. A 25-person distributor in Conroe using an off-the-shelf AI scheduling tool is covered. So is a software company in Austin selling to Texans, and so is an out-of-state vendor whose AI touches your Houston customers. There is no small-business carve-out. If AI influences a decision that affects a person, you are in scope.

Here is what most owners miss. Only the Texas Attorney General can enforce TRAIGA. There is no private right of action, meaning customers and employees cannot sue you directly under the statute. That sounds reassuring until you understand the mechanics.

The AG cannot watch every business in Texas. The complaint portal is how the AG learns what to look at. After September 1, a fired employee who believes an AI tool treated them unfairly, or a customer who felt manipulated by a bot, can file a complaint in minutes. That complaint is the trigger for an investigation. The portal effectively crowdsources enforcement leads, and Texas has a large, motivated pool of potential complainants.

TRAIGA puts intent at the center. The prohibited uses for private companies include developing or deploying AI systems with the intent to:

• Manipulate a person into self-harm, harming others, or criminal activity;
• Infringe on a person's constitutional rights;
• Unlawfully discriminate against a protected class;
• Produce child sexual abuse material or unlawful deepfakes.

One detail is genuinely good news, and you should understand it precisely: a disparate impact alone is not enough to prove a violation. The AG must show intent. If your AI hiring tool happens to favor one group, that statistical outcome by itself does not establish a TRAIGA violation. But "we didn't mean to" is a weak defense when you have no documentation of what the tool was supposed to do, how you tested it, or what guardrails you put in place. Intent is proven or disproven with records, which is exactly why your paperwork is your protection.

TRAIGA gives violators a 60-day cure period after the AG sends written notice. Use it. But the numbers behind that grace period are serious.

Violation type	Civil penalty
Curable violation	$10,000 to $12,000 per violation
Uncurable violation	$80,000 to $200,000 per violation
Continuing violation	$2,000 to $40,000 per day

For a mid-market company, an uncurable finding plus a daily-accruing penalty can run into real money fast. The 60-day cure window is only useful if you can actually show the fix, and document what you changed in your internal policies to prevent a repeat.

TRAIGA offers affirmative defenses, and the most important one for most businesses is this: if you substantially comply with the NIST AI Risk Management Framework or a comparable recognized standard, you get a defense. You also get protection when you discover and fix problems through your own good-faith testing or audits.

Translation: a documented AI governance program is not bureaucratic box-checking. It is your legal shield. The law literally rewards companies that can prove they were trying to do the right thing. The companies that get hurt are the ones with AI scattered across the business and zero records.

There is also a regulatory sandbox: approved participants can test AI systems for up to 36 months without standard licensing, with reduced enforcement exposure while they experiment. That is more relevant to AI developers than to a typical SMB using third-party tools, but it is worth knowing the option exists.

You do not need a law firm on retainer to make meaningful progress. You need to do three unglamorous things, in order, before September 1.

1. Build an AI-use inventory. List every AI tool in the business, including the ones nobody officially approved. Marketing's content generator, the CRM's lead-scoring feature, the chatbot on your site, that resume-screening add-on HR turned on. For each, record what it does, what decisions it influences, and which people it affects. You cannot govern what you have not catalogued.
2. Write an acceptable-use policy. Put in writing what employees may and may not do with AI, what data can be fed into which tools, who approves new AI systems, and how you handle AI in consequential decisions like hiring. This is the document that demonstrates intent when the AG comes asking.
3. Review your vendor contracts. Most of your AI exposure comes from software you bought, not software you built. Ask vendors for their documentation, model details, testing records, and TRAIGA-specific assurances. If a vendor cannot tell you how their AI makes decisions, that is your liability, not theirs.

TRAIGA is a governance and documentation problem, but it sits on top of real infrastructure. An AI inventory is impossible without knowing what software is actually running on your network, which is where disciplined managed IT services for Texas businesses earn their keep. The data those AI tools consume needs to be protected, logged, and access-controlled, which is squarely the job of a strong cybersecurity program and tight privileged access management over who can touch sensitive systems.

If you operate in a regulated space, TRAIGA stacks on top of frameworks you may already be working through; our compliance hub covers how these overlapping obligations fit together so you are not building three separate programs that do the same work.

TRAIGA is live, the penalties are real, and on September 1, 2026 the Attorney General gets a complaint portal that turns ordinary friction with employees and customers into enforcement leads. The good news is that the law rewards preparation. A documented inventory, a clear policy, and reviewed vendor contracts move you from exposed to defensible, and most of that work is achievable before the portal opens.

From our headquarters in The Woodlands to our Round Rock office serving the Austin corridor, we help Texas SMB and mid-market companies turn regulatory deadlines into manageable projects. We provide support during business hours plus after-hours emergency coverage when something breaks. If you want a straight answer on where your AI exposure sits and a practical plan to close the gaps before September 1, book a meeting with our team and we will walk your stack with you.