With TRIAGA about to kick in on January 1, it seemed like a good time to pull everything together before the new year sneaks up on everyone. Section 1 is the breakdown I wrote back in July, back when this law was still fresh, and everyone was squinting at the statutory text, trying to decide if it applied to their world. Section 2 is what has happened since, what agencies are quietly sorting out behind the scenes, and what Texas is actually expecting from all of us.

If you’ve been trying to make sense of this law while juggling your real job, consider this your shortcut.

June 22, 2025, Governor Greg Abbott signed the Texas Responsible Artificial Intelligence Governance Act (TRIAGA) into law, making Texas the second state (after Colorado) to pass a comprehensive AI statute applicable to both public and private actors. But unlike Colorado’s broad requirements, Texas kept it tight, focusing on a few specific, high-risk uses of AI rather than sweeping regulation.

If you’re working with facial authentication, security systems, or AI-based decision tools, this law should be on your radar. Below, we break down what’s in it, how it interacts with Texas’s biometric privacy law (CUBI), and why this might be the most startup-friendly AI legislation in the country.

At a Glance

• Effective Date: January 1, 2026

• Applies to: Government, businesses, individuals

• Focus: Harmful behavior, biometric misuse, transparency

• Key Update: Major clarification of biometric privacy law (CUBI)

• Enforcement: Texas Attorney General only (no private lawsuits)

At the Texas Capitol, developers asked for clarity. Privacy organizations wanted meaningful guardrails. Legislative testimony and committee reports reflect a balance between those camps. Importantly, state legislators clarified during hearings that tools like facial authentication used for security—especially with notice—are not the focus of this law.

Legislative analysis, including the Texas House Research Organization’s report, emphasized avoiding the EU’s overreach while still creating enforceable rules. Testimony also led to a clearer carveout for security tools, which helped keep common applications, like facial recognition for building access, out of the penalty box.

The House Research Organization’s bill analysis highlighted TRIAGA’s intent: Limit harmful or rights-infringing AI but make room for tools that help Texans live and work more safely.

What TRIAGA Covers: Two Tracks, One Goal

TRIAGA regulates both the public and private sectors, but not identically. It outlines specific prohibited uses of AI that apply to all persons and adds a few extra restrictions for governmental entities.

Key Rules That Apply to Everyone

These are targeted, outcome-focused prohibitions. If you're not using AI for harm, you're likely in the clear.

Extra Rules That Apply to Governmental Entities

Let’s drill into that last one, because it's where confusion tends to live.

Biometrics: Permitted if Rights Are Respected

TRIAGA regulates both the public and private sectors, but not identically. It outlines specific prohibited uses of AI that apply to all persons and adds a few extra restrictions for governmental entities.

A governmental entity may not develop or deploy an artificial intelligence model for the purpose of uniquely identifying a specific individual using biometric data… without the individual’s consent if the gathering would infringe on any right under the U.S. or Texas Constitution or any other law. (§ 552.054)

• You can use AI with biometrics if it doesn’t violate rights and you’ve given notice or obtained consent where needed.

• Uses for security, access control, and safety are permitted, especially if accompanied by a privacy policy or signage.

This is consistent with the legislative history, which emphasizes keeping high-value government tech uses intact while avoiding China-style surveillance.

Here’s a breakdown of how TRIAGA treats common government use cases:

So, facial authentication for facility access or security screening? That’s 100% permitted, especially with notice and safeguards in place.

The Subtlety of Section 552.054: Consent “If” Rights Are Violated

One of the most legally nuanced provisions is Section 552.054. It states:

“A governmental entity may not develop or deploy an artificial intelligence system for the purpose of uniquely identifying a specific individual using biometric data or the targeted or untargeted gathering of images or other media from the Internet or any other publicly available source without the individual’s consent, if the gathering would infringe on any right of the individual under the United States Constitution, the Texas Constitution, or a state or federal law.”

Translation: Government agencies are not prohibited from using AI for biometric identification without consent—unless that use infringes on rights under the U.S. Constitution, Texas Constitution, or any state or federal law.

Important: It does not include "any other state's law." TRIAGA limits this to Texas and U.S. law, so California’s BIPA or Illinois' biometric law would not trigger this clause unless adopted by Texas.

This is a conditional restriction, not a categorical ban. It requires careful legal interpretation of whether a given use crosses a rights threshold (e.g., unreasonable search, due process violation, etc.).

The only enforcement authority, the Texas Attorney General, has broad discretion in how this is applied.

This is a conditional restriction, not a categorical ban. It requires careful legal interpretation of whether a given use crosses a rights threshold (e.g., unreasonable search, due process violation, etc.).

The only enforcement authority, the Texas Attorney General, has broad discretion in how this is applied.

What About CUBI — Texas’ Biometric Privacy Law?

CUBI (the Capture or Use of Biometric Identifier Act) has existed since 2009. It says private entities can’t collect biometric data without consent. But it’s had gray areas, particularly what is and isn’t a “commercial purpose” triggering CUBI requirements. TRIAGA brings some clarity.

Security/Safety Exemption

Under a new clarification added under TRIAGA, CUBI does not apply to biometric data used for a security or safety purpose.

So, if you’re using facial authentication to protect access to facilities, systems, or physical spaces, CUBI likely doesn’t apply.

AI Training Carveout

CUBI also doesn’t apply to biometric data used to train an AI model, as long as the data isn’t being used to identify a real person in the process. These two changes make CUBI more navigable for innovators and those purchasing the innovation.

Are Government Entities Bound by CUBI? TRIAGA?

Generally, no. CUBI applies to “commercial purposes.” State agencies, local governments, and public colleges and hospitals in Texas are generally considered governmental entities rather than private entities. As such, they are typically not engaged in activities for a “commercial purpose” as contemplated by CUBI.

Enforcement and Judicial Clarity

Under TRIAGA, there is no private right of action. Enforcement is exclusive to the Texas Attorney General, and violators have 60 days to fix the problem before penalties kick in.

That matters. It means the law is meant to guide, not punish. And it gives companies a chance to learn and adapt.

Yes, courts may still have to interpret terms like “interact,” “publicly available,” or “social scoring.” But the plain language gives us a lot to work with.

Under Texas law, when a statute doesn’t define a term, courts typically look first to the plain language—the ordinary, everyday meaning—of the word. That’s why it’s important to be clear about how these key terms are likely to be interpreted.

Similarly, HB 149 doesn't define security or safety, but by plain language, legislative context, and analogy, it likely includes:

These definitions help reduce legal ambiguity while providing compliance clarity for product and security teams.

No Portland-Style Bans in Texas

Remember when Portland banned private companies from using facial recognition—even for basic security? Yeah, Texas didn’t do that.

Thanks to a preemption clause in TRIAGA, local governments can’t pass their own AI laws that are stricter than the state’s:

“A political subdivision of this state may not adopt or enforce a law… that conflicts with or is more stringent than this subchapter.” (Texas Gov’t Code § 552.059)

The Sandbox: Innovation Gets a Launchpad

TRIAGA doesn’t just restrict bad behavior, it encourages innovation with a regulatory sandbox. If you're developing new AI products, especially those that need real-world testing, this is a big deal.

How It Works:

• Administered by the Texas Department of Information Resources (DIR)

• You apply, describe your use case, and show public benefit

• If approved, you get temporary regulatory relief to test your AI responsibly

• You’re still under oversight and transparency rules

This is modeled on fintech and health sandboxes. Texas wants you to test smart ideas here, not somewhere else.

So, if you’re building something new and important but don’t want to trip over unclear rules, this is the off-ramp you need.

Ready to fast forward six months?

Texas didn’t change a word of TRIAGA after it passed, but the months that followed have been surprisingly busy. Agencies began translating the statute from “legislative text” into “real-world instructions,” city governments realized they no longer had room to freelance, and a handful of public comments from state officials gave everyone a clearer sense of how this law will be enforced starting January 1, 2026.

DIR’s Pre-Launch Prep: What Agencies Are Being Told Behind the Scenes

By late summer, the Texas Department of Information Resources (DIR) started walking state agencies through internal drafts of its implementation guidance. These sessions weren’t splashy, but they were revealing.

DIR is preparing model language for the notice required when a person “interacts” with an AI system. And the agency has been blunt about one thing: authentication at a secure entry point is not an interaction. A two-way exchange is required for § 552.051 to apply. Badges, PIN pads, and facial authentication readers at controlled doors do not qualify.

DIR staff have been describing access control as a routine protective use, not a category that triggers special scrutiny. As long as agencies post signage or include language in their policies, they are considered well within TRIAGA’s guardrails. This matches the Legislature’s original statements during committee hearings, where they clearly separated security uses from the misuse scenarios TRIAGA was written to address.

For anyone deploying authentication tools for security purposes, this is the closest thing to a “yes, this is fine” that a regulator ever says out loud.

What the Texas Has Been Signaling

DIR’s focus is on TRIAGA’s core prohibitions: coercive AI, deepfake exploitation, discriminatory systems, and models that intentionally violate rights. When asked about enterprise security tools, officials went back to the statutory text. TRIAGA is aimed at harmful conduct, not everyday access control.

They also stressed the purpose of the 60-day cure period. TRIAGA was written to help organizations achieve compliance, not to penalize technical missteps. That context matters for companies trying to build realistic compliance programs, rather than reacting to alarmist headlines.

Also, since June, several attorneys and policymakers involved in the development of TRIAGA and the CUBI clarification have provided further insights regarding the Legislature's intent, specifically with respect to their participation in the relevant committees. Their comments help answer some of the questions companies have been trying to interpret on their own.

The most important point is that the CUBI security and safety exception is purpose-based, not architecture-based. It applies whether a company uses on-device processing, on-prem servers, hybrid workflows, or a cloud component. The Legislature cared about why the biometric is used, not how many hops the data takes along the way.

And while committee minutes for HB 149 reflect that testimony was taken and witness lists attached, the online minutes themselves are skeletal and do not reproduce detailed Q&A or definitions. But summaries of the testimony support the difference between authentication and surveillance. Authentication happens at a specific point when a person is trying to access something. Surveillance is everything beyond that moment.

TRIAGA’s restrictions in § 552.054 were written for surveillance-like activity, not for validating that the person at the door is the same person who enrolled.

These explanations track the committee statements made while the bill was moving through the Legislature and give companies a better sense of where the legal lines actually fall.

City Ordinances Quietly Went Away

Before TRIAGA, several large Texas cities were exploring their own AI rules. Some were considering audit mandates. Others were floating restrictions on biometric tools. All of those efforts ended once TRIAGA’s preemption clause became impossible to ignore.

In late 2025:

• Austin withdrew its draft ordinance

• Houston stopped exploring a biometric proposal

• Dallas publicly confirmed that earlier discussions would not continue

Each city cited the same issue: state law removed its authority to adopt stricter AI rules.

This matters for companies deploying security technology across multiple locations. Instead of a patchwork of local requirements, Texas now has one statewide standard.

Where Things Stand Heading Into 2026

Taken together, the post-passage activity points in a clear direction.

Texas wrote TRIAGA to address abuse, not to restrict authentication or access control. Recent informal guidance, unofficial remarks, and the withdrawal of local ordinances all reinforce that understanding. Further, the sandbox preparation rounds out the picture, showing that Texas wants productive, safety-oriented AI development to happen here, not somewhere else.

The January 1 effective date is coming quickly, but the law is no longer abstract. We now have a much better sense of how Texas expects this statute to function in practice.

Want to learn how Alcatraz's modern facial authentication solution can improve your company's safety and existing access control system? Schedule a demo: https://rock.alcatraz.ai/demo.

Have a real question about biometric privacy? DM me. I love this stuff.