We present a compliance-aware reference architecture that operationalises the EU Artificial Intelligence Act (AI Act) by design and aligns security controls with the MITRE ATLAS threat model. The ar- chitecture (C-AIA) integrates three layers—Compliance (traceability and technical documentation), Security (ATLAS-informed mitigations), and Monitoring (observability, oversight, and post-market processes)—and is instantiated as a BPMN lifecycle that unifies pre-market conformity as- sessment with post-market monitoring and continuous risk management. To make conformity verifiable and repeatable, we provide (i) an archi- tecture–obligation–threat mapping (AI Act Arts. 9–15, 72 ↔ ATLAS techniques) and (ii) an evaluation plan with pre-registered questions (EQ1–EQ3) and design-level metrics (M1–M6) covering compliance cov- erage, evidence completeness, threat-informed prevention/detection/ re- sponse, and PMM→RMS feedback. Results are reported analytically via a design-justified matrix that links each obligation cluster to con- crete control points and evidence artefacts, enabling auditability without benchmark numbers. The contribution is a practical blueprint—reference architecture, BPMN, and evaluation plan—that enables organisations to build AI systems that are secure and compliant by design and immediately testable with fu- ture empirical studies. Future work will execute the registered threat- emulation scenarios and publish quantitative outcomes.