TRAIGA Enforcement Starts September 1: A Five-Step Compliance Plan

The Texas Attorney General’s AI complaint portal opens September 1, 2026. When it does, any employee, customer, or competitor will be able to file a complaint against your business for how it uses AI with a few clicks. The Texas Responsible AI Governance Act (TRAIGA) has been in effect since January 1, but September is when enforcement becomes frictionless, and most Texas businesses still don’t have a compliance plan.

What the September 1 Portal Changes

Filing an AI-related complaint with the Texas AG currently requires contacting the office directly. That creates enough friction that most grievances go unreported. The complaint portal removes that barrier entirely.

This matters for every business that touches AI. A job applicant screened out by an AI hiring tool can file a complaint. A customer who received a different offer than a peer because your CRM scoring algorithm weighted demographics can file a complaint. An employee who discovers their performance reviews were influenced by AI pattern-matching can file a complaint. Each of these takes minutes, not weeks.

We covered the full scope of what TRAIGA requires in May. This post focuses on what you need to do before September 1 and how to qualify for the legal protection that most businesses don’t know about.

TRAIGA Applies If You Use AI in Texas

TRAIGA does not just apply to AI companies or tech startups. It applies to any business that deploys AI systems in Texas. “Deploy” includes purchasing and using AI-powered tools that your employees interact with daily.

If your team uses Microsoft Copilot to draft emails or analyze spreadsheets, you deploy AI. If your CRM scores leads automatically, you deploy AI. If your HR platform screens resumes or ranks candidates, you deploy AI. If your team uses ChatGPT or Claude for research, content creation, or customer communications, you deploy AI.

The law targets three areas:

• Discriminatory AI outcomes. Using AI systems that intentionally discriminate based on protected characteristics, or maintaining systems you know produce discriminatory results.
• Biometric data. Using biometric identifiers like facial recognition or voiceprints in AI processing without disclosure and consent.
• Government transparency. Failing to disclose AI involvement in government-facing transactions or public-sector contracting.

The critical word is “intentionally.” TRAIGA uses an intent-based liability standard, meaning you are liable if you deploy AI knowing it discriminates or continue operating a system after learning it produces biased outcomes. This is a lower bar than some businesses assume. “We didn’t know” stops being a defense once a complaint investigation reveals that you had no monitoring, no audit trail, and no governance policy to detect problems in the first place.

The Penalty Structure

TRAIGA’s penalties are tiered based on severity and whether the violation can be fixed.

Curable violations get a 60-day cure period. If you fix the issue within 60 days of receiving notice from the AG, the penalty ranges from $10,000 to $12,000 per violation. These typically involve documentation gaps, missing disclosure language, or AI tools that can be reconfigured to address the complaint.

Uncurable violations carry penalties from $80,000 to $200,000 per violation. These involve AI systems that caused demonstrable harm through discriminatory outcomes, unauthorized biometric data use, or willful non-compliance after receiving a cure notice.

Ongoing violations accrue $2,000 to $40,000 per day. If you receive a cure notice and fail to act, the daily penalties start accumulating on day 61.

For a 200-person company, even one curable violation at the low end costs $10,000. An uncurable violation from an AI hiring tool that screened candidates using zip code as a proxy for race could reach $200,000 before legal fees. Multiple violations compound. A business running three unaudited AI systems that each produce a separate complaint faces exposure well into six figures.

The NIST AI RMF Safe Harbor

Most businesses miss this part: TRAIGA includes an affirmative defense for companies that substantially comply with the NIST AI Risk Management Framework (AI RMF).

The NIST AI RMF is a voluntary framework published by the National Institute of Standards and Technology that outlines how organizations should govern, map, measure, and manage AI risks. It is not a certification you apply for. It is a set of practices you implement and document.

If your business can demonstrate substantial compliance with the NIST AI RMF at the time of an alleged violation, you have an affirmative defense against TRAIGA enforcement. In practical terms, you can present your NIST alignment documentation to the AG’s office and demonstrate that you took reasonable, recognized steps to manage AI risk.

This is not a blanket immunity. You still need to address the underlying complaint. But it is the difference between facing a $200,000 penalty and demonstrating that your business followed an established federal framework for AI governance. The AG’s office has significant discretion in enforcement, and documented NIST compliance shifts the conversation from “did you do anything?” to “was what you did reasonable?”

The NIST AI RMF has four core functions:

1. Govern. Establish policies, roles, and accountability for AI oversight.
2. Map. Identify where AI is used, who it affects, and what could go wrong.
3. Measure. Assess AI systems for bias, accuracy, reliability, and security.
4. Manage. Implement controls to mitigate identified risks and monitor AI performance over time.

For most SMBs, substantial compliance does not require hiring a team of AI ethicists. It requires documenting what AI you use, who oversees it, how you test for problems, and what you do when you find them.

Five Steps to Compliance Before September 1

You have less than 80 days. Each of these steps can be started this week.

1. Catalog every AI system in your organization.

Start with the tools you know about: Microsoft Copilot, ChatGPT, any AI features in your CRM, HR platform, or accounting software. Then go deeper. Ask department heads what tools their teams actually use. Check your network logs for connections to AI service endpoints from OpenAI, Anthropic, or Google. Shadow AI, meaning tools employees adopted without IT approval, is where the highest compliance risk hides because you cannot govern what you do not know about.

If you have already completed an AI governance review, use that inventory as your starting point and update it.

2. Audit your vendor contracts for AI transparency.

For every AI-powered tool you use, pull the vendor contract and privacy policy. Look for three things: how the vendor uses your data in AI processing, whether the vendor provides bias testing or audit documentation, and what happens to your data if you terminate the contract. Many SaaS vendors added AI features to existing products without updating their data processing agreements. Your compliance obligations under TRAIGA extend to AI decisions made by tools you purchase, not just tools you build.

3. Draft a written AI governance policy.

This is the document that proves you thought about AI risk before a complaint arrived. It should cover which AI tools are approved, what data can be entered into them, which decisions require human review, and how employees report concerns about AI outcomes. If you already have an AI policy for multi-state compliance, update it to reference NIST AI RMF alignment explicitly.

4. Train your managers on appropriate AI use.

Managers are the most common point of failure. They adopt AI hiring tools without understanding the discrimination risk. They use Copilot to write performance reviews without knowing the company policy on AI-assisted HR decisions. They approve AI-generated customer communications without checking for accuracy. A 60-minute training session that covers your AI policy, the specific tools your organization uses, and the scenarios that create TRAIGA exposure costs almost nothing and eliminates the most common compliance gaps.

5. Document your NIST AI RMF alignment.

This is what activates the safe harbor. For each of the four NIST functions (Govern, Map, Measure, Manage), document what your business has done. You do not need a 100-page report. You need evidence that you have an AI governance structure, that you have identified your AI systems and their risks, that you have assessed those systems for bias and accuracy, and that you have controls to address problems when they arise.

Your AI services partner or virtual CIO can help structure this documentation if your internal team does not have the capacity. The important thing is that the documentation exists before a complaint does.

The Clear Path Forward

TRAIGA is not designed to punish businesses for using AI. It is designed to ensure that businesses using AI do so responsibly. The safe harbor provision proves this: if you follow the NIST framework and document your compliance, you have a recognized legal defense. The businesses that act before September will be in a fundamentally different position than those that wait for the first AG inquiry to arrive.

Start with step one this week. Know what AI you are running. Everything else follows from there.