Texas SB 1964: A Comprehensive Guide to the New AI & Cybersecurity Regulations

By /

As artificial intelligence becomes increasingly embedded in government operations, states are stepping up to regulate its use. Texas Senate Bill 1964 (2025) is one of the most significant state-level AI governance laws to date, establishing strict cybersecurity and bias testing requirements for AI systems used by Texas state agencies.

This blog provides a detailed breakdown of SB 1964, its implications for businesses, and actionable steps to prepare for compliance.

Key Provisions of Texas SB 1964

1. Mandatory Cybersecurity Standards for Government AI (Sec. 2054.602)

The bill requires state agencies to implement NIST-aligned security controls for AI systems, including:

  • Vulnerability testing (penetration testing, adversarial AI red-teaming)
  • Data integrity validation (checksums, dataset provenance tracking)
  • Strict access controls (role-based permissions, multi-factor authentication)

Why It Matters:

  • Vendors selling AI to Texas agencies must now meet these security benchmarks.
  • Likely to influence procurement requirements for private-sector AI vendors.

2. Bias Testing & Impact Assessments for High-Risk AI (Sec. 2054.603)

AI systems used in criminal justice, healthcare, and public benefits must undergo:

  • Demographic accuracy audits (disparate impact analysis)
  • Transparency documentation (model cards, training data sources)
  • Mitigation plans for identified biases

Case Study:
A Texas unemployment benefits AI was found to wrongly deny claims for non-English speakers. SB 1964 would require agencies to detect and fix such biases before deployment.

3. Creation of the Texas AI Advisory Council (Sec. 2054.606)

9-member expert panel will:
✔ Recommend AI governance policies
✔ Review agency compliance
✔ Report findings annually to the legislature

Council Composition:

  • 3 cybersecurity experts
  • 2 civil rights advocates
  • 2 AI industry representatives
  • 2 academic researchers

Implication: This council could shape future AI regulations affecting private businesses.

How SB 1964 Impacts Private Businesses

While the bill currently applies only to Texas state agencies, it signals broader trends:

1. Vendor Compliance Requirements

  • Companies selling AI to Texas government must now:
    • Provide bias audit reports
    • Certify NIST SP 800-53 compliance
    • Allow third-party penetration testing

2. Future Expansion to Regulated Industries

  • Likely next targets: Healthcare (HIPAA AI), Finance (loan underwriting AI), Education (admissions algorithms)
  • Similar bills expected in California, New York, and Florida

3. De Facto Industry Standards

  • Even non-government AI vendors may adopt SB 1964’s framework to stay ahead of regulations.

3 Steps Businesses Should Take Now

1. Conduct an AI Risk Inventory

  • Map AI systems against SB 1964’s “high-risk” categories.
  • Prioritize applications in healthcare, legal, and public services.

2. Align Security Controls with NIST SP 800-53

  • Implement:
    • Model integrity checks (e.g., cryptographic hashing for training data)
    • API security (rate limiting, OAuth2.0 for AI endpoints)
    • Adversarial testing (red-team LLMs for prompt injection)

3. Formalize Bias Testing & Documentation

  • Use tools like:
    • IBM Fairness 360 (bias detection)
    • MLflow (model versioning)
    • Fiddler AI (audit trail generation)
  • Create standardized model cards for regulators.

Comparison: SB 1964 vs. Other AI Laws

RegulationScopeBias TestingCybersecurityEnforcement
Texas SB 1964State agenciesRequiredNIST SP 800-53Advisory Council
EU AI ActAll high-risk AIRequiredISO 27001Fines up to 7% revenue
Colorado AI ActPrivate companiesVoluntaryNoneNo penalties

Key Takeaway: Texas is taking a middle-ground approach—stricter than Colorado but narrower than the EU.

What’s Next?

  • 2025: SB 1964 takes effect for Texas agencies.
  • 2026-2027: Likely expansion to vendors and contractors.
  • 2028+: Potential adoption by other states.

Final Thoughts

Texas SB 1964 is a bellwether for U.S. AI regulation, blending cybersecurity mandates with bias accountability. Businesses should:

  1. Audit AI systems against the bill’s requirements.
  2. Strengthen documentation for compliance audits.
  3. Monitor the AI Advisory Council for future policy shifts.

References

Press release from Senator Tan Parker’s office: https://www.senate.texas.gov/press.php?id=12-20250307a

The complete text from the bill (TX SB1964): https://legiscan.com/TX/text/SB1964/2025

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top