One of the most misunderstood requirements of TRAIGA is the vendor demand letter. Most small business owners who learn about the law assume that identifying their AI vendors is the compliance step. It is not. Identification is the first step. The compliance step is what comes after.

TRAIGA requires deployers — businesses using AI-powered platforms — to take reasonable steps to understand the AI systems their vendors use. The mechanism the law contemplates for this is formal written communication to each vendor requesting their AI governance documentation.

This is not optional. It is not a best practice. It is a required element of a defensible TRAIGA compliance record.

Why the Letter Matters Legally

The legal standard TRAIGA applies to small business deployers is reasonable care. Reasonable care is not defined by what you knew. It is defined by what steps you took given what you could reasonably have done.

A business that can produce a dated, formal written request to Indeed asking for their AI compliance documentation is in a fundamentally different legal position than a business that cannot. The first business took a documented step. The second business did nothing.

When a demand letter arrives — from a plaintiff attorney, from a regulator, or from a job applicant's counsel — the first question will be: what did you do to understand the AI systems you were using? The vendor demand letter is your answer to that question.

What the Letter Must Accomplish

A TRAIGA vendor demand letter needs to accomplish four things to be legally meaningful.

It must be formally addressed. The letter should be addressed to the vendor's legal or compliance department, not to a customer service inbox. For major platforms like Indeed, LinkedIn, or Workday, their legal and compliance contact information is typically available on their website or through their terms of service. The letter should reference the vendor's full legal entity name.

It must cite the applicable law. The letter should specifically reference TRAIGA — the Texas Responsible AI Governance Act — and, where applicable, any other laws that apply to your business and the vendor relationship. Citing the specific legal authority makes clear that this is a compliance request, not a general inquiry.

It must request specific documentation. A vague request for "information about your AI" is not sufficient. The letter should request specific categories of documentation — the vendor's AI system documentation, their bias audit results or methodology, their risk management framework, their disclosure policies, and their process for handling AI-related complaints or errors.

It must establish a response deadline. The letter should request a response within a reasonable period — typically 30 days is appropriate. This creates a documented timeline and establishes what constitutes non-response.

What to Request Specifically

The documentation request section of the letter should ask for the following:

A description of which AI features in the platform influence consequential decisions and how those features work. The vendor's AI risk management policy and any documentation of how that policy is implemented. Results of any bias audits, fairness assessments, or impact evaluations conducted on the AI systems. The vendor's policy for notifying deployers of material changes to AI systems. The vendor's process for handling disputes or errors arising from AI-assisted decisions. Any documentation the vendor provides to demonstrate compliance with applicable state AI laws, including TRAIGA.

Not every vendor will be able to provide all of this. Many will not. But requesting it formally creates the record that you asked.

What Happens When Vendors Don't Respond

This is where the compliance picture gets interesting — and where many businesses are surprised.

Vendor non-response is itself a compliance data point. A vendor that receives a formal TRAIGA compliance documentation request and does not respond within the specified deadline has demonstrated, through their silence, that they either cannot or will not provide the requested documentation. That non-response, properly documented, is part of your compliance record.

The legal significance is this: a small business deployer that sent a formal request, waited the specified period, and received no response has demonstrated that they took every reasonable step available to them. They had no leverage to compel the vendor to respond. They documented the absence of a response. That record supports a reasonable care defense.

A business that never sent the letter has no such record.

There are three possible outcomes when you send a vendor demand letter. The vendor responds with substantive documentation — this is the best outcome and should be logged and archived. The vendor responds with a general statement about their compliance program without providing specific documentation — this should be logged as an evasive response and archived with that characterization. The vendor does not respond at all — this should be logged as non-responsive after the deadline passes and archived accordingly.

All three outcomes are useful. All three belong in your compliance record.

The Timing and Format Requirements

TRAIGA does not specify a particular format for vendor demand letters. They can be sent by email, by certified mail, or through a platform's formal communication channels. What matters is that you have evidence of when the communication was sent and what it said.

Email is acceptable but has a weakness — email servers can claim they did not receive messages, and email threads can be modified or deleted. A better practice is to send by both email and certified mail to the vendor's legal department, keeping copies of both.

The letter should be dated. It should reference your business name and the specific platform or product you are using. It should be professional in tone — this is a legal compliance communication, not a complaint letter.

When to Send the Letters

If you have not yet sent vendor demand letters to your AI vendors, send them now. TRAIGA has been in effect since January 1st. Every day without a compliance record is a day of exposure.

The timing of your demand letters will appear in your compliance record. A letter sent in April 2026 demonstrates that you acted within the first quarter of TRAIGA's enforcement period. That is materially better than a letter sent in response to a demand from opposing counsel.

This article is for informational purposes and does not constitute legal advice. For advice specific to your situation, consult a licensed Texas attorney.