Texas Turned Its AI Law On While Colorado Tore Its Own Down: The US Patchwork Is Real
TRAIGA is live with penalties up to 200,000 dollars. Colorado repealed its landmark law before it ever bit. If you deploy across states, the record you can prove is the only thing that travels with you.
By Micky Irons
Two American states did the opposite thing within five months of each other, and together they told every multi-state operator exactly what the next decade looks like.
On 1 January 2026, Texas turned its AI law on. The Texas Responsible Artificial Intelligence Governance Act, TRAIGA, took effect with the attorney general holding exclusive enforcement power and a penalty schedule that runs up to 200,000 dollars for an uncurable violation. Then, on 14 May 2026, Colorado did the reverse. Governor Polis signed SB 26-189, which repealed and reenacted the state's landmark 2024 AI Act and pushed the whole thing out to 1 January 2027. Colorado's original law never once bit. It was delayed, then gutted and replaced before a single obligation landed.
One state hardened. One state retreated. Neither waited for Washington. That is the patchwork, and it is no longer a slide in a forecast deck. It is the map you are already standing on.
What Texas actually switched on
Let me be precise, because the numbers matter. TRAIGA applies to entities that do business in Texas, produce a product or service used by Texas residents, or develop or deploy an AI system in the state. Enforcement sits entirely with the Texas attorney general. There is no private right of action. Before the AG can act, it must give notice and a 60-day window to cure.
The penalties scale with how bad the conduct is. Curable violations that go uncured run 10,000 to 12,000 dollars each. Uncurable violations run 80,000 to 200,000 dollars each. Continuing violations can add 2,000 to 40,000 dollars per day. The core prohibitions target intentional harm: developing or deploying AI designed to injure people, enable crime, impair constitutional rights, unlawfully discriminate against a protected class, or produce unlawful sexual content.
This is a live statute with a live enforcer and a real number attached. If you operate in Texas, it is switched on right now.
What Colorado tore down
Colorado's 2024 Act was the ambitious one. It imposed a duty of reasonable care to prevent algorithmic discrimination, mandatory risk-management programmes for deployers, and annual impact assessments on high-risk systems. It was the template everyone pointed to.
SB 26-189 removed the load-bearing walls. The duty of care is gone. The mandatory risk-management programmes are gone. The annual impact assessments are gone. In their place is a narrower framework built around automated decision-making technology that makes consequential decisions: notify people when they are interacting with AI, meet disclosure and consumer-rights obligations, keep records, and provide meaningful human review. It takes effect 1 January 2027, and the attorney general has signalled he does not intend to enforce it until rulemaking concludes.
So the most-cited AI law in America was rewritten into something much lighter before it ever applied. If you spent 2025 building a compliance programme against the old Colorado text, a large part of that spend is now aimed at a target that no longer exists.
The real lesson is not Texas versus Colorado
The lesson is that you cannot build your governance to any single state's law, because the law itself is unstable. One legislature hardens while another retreats. Other states are moving on their own timelines, in their own directions, and none of them is copying the last one. And over the top of it sits a federal preemption fight that is genuinely unresolved: an executive order directing a review of state laws, a Commerce review in play, and a bipartisan bloc of state attorneys general publicly opposing broad preemption. No federal statute and no court has paused state AI law. The contest is still open.
Here is the honest read. Nobody is going to hand a national deployer one clean rulebook any time soon. You will run under many rulebooks at once, and the set will keep changing shape underneath you.
The thing that has to survive the churn is the record
If the rules move, what carries your defence from one regime to the next? Not your policy binder. The evidence.
Whether a Texas AG opens a 60-day cure inquiry, a Colorado regulator asks how a consequential decision was reached in 2027, or a California audit lands, they are all asking a version of the same question. What did the system do, on what input, under whose authority, and can you prove the record has not been altered since? The state names on the letterhead differ. The underlying demand is identical: a trustworthy, tamper-evident account of the actual decision.
This is the whole reason I built Mickai the way I did. Mickai is a Sovereign Intelligence Operating System. Regulated organisations own it and run it inside their own walls, air-gapped where the workload demands it, and every action the system takes writes a cryptographically-signed audit record. Not a log you have to trust because it lives on someone else's server. A signed record you can hand to any regulator in any state and that they can independently verify has not been tampered with.
I want to be straight about the market, because overclaiming helps nobody. Almost every regime here permits AI deployment with the right controls. TRAIGA does not ban you from operating. Colorado's new law does not ban you either. The genuine hard no-cloud line is workload-level, not company-wide: classified environments, ITAR-controlled data, isolated operational technology, a data-protection assessment that comes back negative. For everything else the driver is a preference for sovereignty and, increasingly, the practical need to produce proof on demand. That practical need is what a signed audit record answers, and it answers it the same way in Austin, Denver, and Sacramento.
Portability is the strategy
A portable evidence record is the only governance asset that does not depreciate when a legislature changes its mind. Texas hardened, so your record proves you did not cross its intentional-harm lines. Colorado softened, so your record still shows how a consequential decision was made and reviewed, which is exactly what its 2027 framework will ask for. When a fifty-first rule arrives, you are not rebuilding your evidence pipeline. You are pointing the same signed record at a new set of questions.
This connects directly to how I think about AI governance under a state patchwork and about the tamper-evident audit trail that runs under every Mickai action. Build the record once, own it, sign it, keep it inside your walls. Let the states argue about the rules. Your proof travels with you.
Frequently asked questions
Is TRAIGA actually in force right now?
Yes. TRAIGA took effect 1 January 2026. The Texas attorney general has exclusive enforcement authority, must give a 60-day cure period before acting, and penalties for uncurable violations reach 200,000 dollars each, with continuing violations adding up to 40,000 dollars per day. There is no private right of action.
Did Colorado's AI Act ever take effect?
No. The 2024 Colorado AI Act was delayed, then repealed and replaced by SB 26-189, signed 14 May 2026. The new, lighter automated-decision-technology framework takes effect 1 January 2027, so the original obligations never applied.
Will a federal law preempt all of this soon?
Not yet, and it is genuinely uncertain. There is an active federal preemption push, including an executive order and a Commerce review, but no federal statute or court has paused state AI law, and a bipartisan group of state attorneys general has opposed broad preemption. Plan for the patchwork, not for rescue from it.
How does a signed audit record help across different states?
Every regime asks a version of the same question: what did the system do, under whose authority, and can you prove the record is intact. A cryptographically-signed, tamper-evident record answers that identically regardless of which state is asking, so you do not rebuild your evidence for each new law.
The takeaway
Texas switched its law on. Colorado tore its own down before it worked. The states are not converging, they are diverging, and Washington has not settled the question. If your governance is pinned to one statute, you are one legislative session away from starting over. The asset that survives is the one you can prove: a portable, signed, tamper-evident record of what your AI actually did, owned by you, produced on demand, verifiable by anyone. Build that, and the patchwork stops being a threat and becomes a series of questions you already have the answer to.


