- (a) Before a state agency or local government develops, procures, deploys, or uses a heightened scrutiny AI system and at the time that a material change is made to the system, the state agency or local government shall conduct a written AI risk assessment to consider the probability and severity of harm that could occur as the result of implementation of the AI system.
(b) The risk assessment shall consider and document:
- (1) The AI system's known security risks and mitigation steps available to limit those risks;
- (2) The heightened scrutiny AI system's performance metrics relating to accuracy and operational efficiency; and
(3) The heightened scrutiny AI system's transparency, including information about:
- (A) The system's algorithms and how the system makes decisions;
- (B) The data used to train the system's model; and
- (C) The availability of inputs and outputs to monitor the system's decision-making over time.
(c) When a state agency or local government is deploying any heightened scrutiny AI system, the AI Risk Officer shall:
- (1) Review the completed written risk assessment prepared for that system prior to system deployment; and
- (2) Approve or deny deployment of the system based on the risk and mitigation measures identified by the completed written risk assessment. At a minimum, the AI Risk Officer shall notify the state agency or local government's executive head or their designee of a decision to deploy a heightened scrutiny AI system. A state agency or local government may also establish a process for consultation or final approval by the executive head or their designee, as the state agency or local government determines appropriate.
- (d) The state agency or local government shall maintain a record of the completed written risk assessment and all relevant documents for as long as required by the applicable state records retention schedule.
Source Note:The provisions of this §219.22 adopted to be effective March 18, 2026, 51 TexReg 1610.