Texas TRAIGA Has Been Live for 4 Months. Here's What the AG Is Doing — and What You Should Be Ready For.

Texas's Responsible AI Governance Act (HB 149) took effect January 1, 2026. As of today — April 23, 2026 — the Texas Attorney General has filed zero public enforcement actions under it. No cure letters. No settlements. No civil filings. No press releases.

That's not a sign the law is being ignored. It's a sign that the enforcement machinery is still being built — exactly the way the statute itself sequenced it.

What the Statute Actually Sequenced

TRAIGA's effective date and its enforcement infrastructure deadlines are two different things. The law became binding on regulated parties on January 1, 2026. But the Attorney General's online consumer complaint portal — the mechanism that will route most enforcement leads — is not statutorily required to launch until September 1, 2026 (HB 149 Section 8, implementing Sec. 552.102).

That's an eight-month gap between "the law applies to your business" and "consumers have a state-built way to report you." During that gap, enforcement is possible but unusual. The AG's office has exclusive enforcement authority under Sec. 552.101(a), and could file a civil investigative demand or bring an action without waiting for a complaint. They just haven't.

The Texas Department of Information Resources (DIR), which administers the 36-month regulatory sandbox under Sec. 553.053(a), is also still standing up its program. DIR's Technology Legislation page acknowledges TRAIGA as a program DIR will administer, but no application rules, sandbox docket, or participant list has been published.

What "Zero Public Enforcement" Does Not Mean

The absence of announced enforcement does not mean:

• The law has been delayed. It hasn't. It's in force. The 60-day cure period (Sec. 552.104(b)) starts running from the date the AG provides notice — which can happen any day from now forward.
• The AG has signaled non-enforcement. No statement of forbearance has been issued. No FAQ page has been published telling businesses to stand down. The silence is operational, not policy.
• You have until September to start documenting. The 60-day cure period only helps you if you have something to cure. If the AG sends you a notice and you have no impact assessment, no AI inventory, no risk evaluation — there's nothing to fix. The cure period is for businesses that documented imperfectly. It is not for businesses that did nothing.
• There won't be a private right of action. There won't be — TRAIGA gives the AG exclusive enforcement (Sec. 552.101(a)). But the Workday hiring lawsuit shows that AI-related discrimination claims are increasingly viable under existing federal and state employment law, regardless of TRAIGA. Federal Title VII and Texas employment law operate independently.

What the Penalty Structure Tells You About AG Priorities

The penalty structure (Sec. 552.105(a)) is a tiered architecture that reveals where Texas wants enforcement focus to land:

• Curable violations: $10,000–$12,000 per violation
• Uncurable violations: $80,000–$200,000 per violation
• Continuing violations: $2,000–$40,000 per day on top of the base penalty

The 8x gap between curable and uncurable is the single most important signal. Texas built a regime where genuine compliance attempts get treated very differently from willful or reckless ones. The AG's office, when it does act, will almost certainly tier its enforcement to match — sending cure letters first to organizations that show evidence of an attempt, escalating to uncurable-violation findings only against the egregious cases.

This is also why the NIST AI 600-1 affirmative defense in Sec. 552.105(e)(2)(D) matters. A business that can show "substantial compliance with the most recent version" of AI 600-1 has a statutory affirmative defense — not a complete shield, but a presumption that flips the burden to the AG.

NIST AI 600-1 has not been updated since its July 26, 2024 publication. NIST did publish draft IR 8596 on AI cybersecurity in December 2025 and an RFI on AI security considerations in January 2026, but neither replaces or amends 600-1. The version of the framework you're aligning to is still the 2024 baseline. That's stable — a feature, not a bug, for businesses building compliance programs around it.

What "Enforcement-Ready" Actually Looks Like

The businesses that survive the first wave of TRAIGA enforcement won't be the ones with the fanciest compliance programs. They'll be the ones who can produce documents on the day the AG asks. Specifically:

• An AI System Inventory. Every AI system the business uses, classified by purpose. A spreadsheet is fine.
• A Risk Management Policy aligned to NIST AI 600-1. The affirmative defense framework. A short policy document with named owners and review cadence.
• A Consumer Notification Template. Required when AI is used in a consequential decision affecting a Texas consumer.
• A Bias Evaluation & Anti-Discrimination Documentation set. Especially important since TRAIGA requires intent for discrimination claims (Sec. 552.056(c)) — but you still need to show you evaluated.
• A documented Cure Process. What you do when the AG sends a notice. Who reviews it. What gets escalated. The 60-day clock is short — having a documented process saves you from having to build one in real time under enforcement pressure.

These are the documents in our Texas TRAIGA compliance package. They cost $299. The lowest-tier curable penalty per violation is $10,000.

The Window That's Closing

The four-month "quiet period" since January 1 has been usable preparation time. The next four months — through August 2026 — are the last stretch before the AG's complaint portal goes live and the volume of enforcement leads jumps. After September 1, the AG's office moves from "reactive when something obvious happens" to "scanning a steady inbound complaint stream."

The Texas businesses that get the early cure letters won't be the ones who did nothing. The AG won't waste an investigative demand on a business with zero documentation — they'll route those straight to uncurable violation territory or the courts. The cure letters will go to businesses that documented enough to be worth saving.

If you've been waiting for the AG to do something before you take TRAIGA seriously, the window for being a "second wave" target instead of a "first wave" target is now.

This article reflects publicly available information as of April 23, 2026. It is not legal advice. Section numbering and statutory citations are taken from the [enrolled bill text on capitol.texas.gov](https://capitol.texas.gov/tlodocs/89R/billtext/html/HB00149F.htm). Compliance program design specific to your business should be reviewed by qualified Texas counsel.