Automated regulatory compliance for AI systems in the security domain: The case of dual-use deployment

The rapid expansion of the European Union’s digital regulatory framework and recent adoption of the Artificial Intelligence Act (AI Act) has introduced complex, overlapping compliance obligations for AI systems, and consequently, their developers and users. These challenges are amplified for dual-use AI systems, which may be developed for civilian markets yet deployed in military contexts, requiring alignment with both EU regulatory instruments and defence-specific frameworks such as NATO policies. Existing approaches to regulatory compliance remain largely manual, fragmented, and difficult to scale, particularly when legal requirements must be translated into actionable, system-level specifications for dual-use contexts. This paper proposes a novel ontology-based methodology for automated regulatory compliance requirements specification for dual-use AI systems. The methodology systematically integrates legal and technical perspectives by structuring compliance obligations across deployment domains (civilian and defence), system lifecycle phases, and requirement categories, including privacy- and security-related obligations. Implemented as a machine-readable knowledge graph using RDF/Turtle, the approach enables executable compliance modelling, where regulatory obligations are formalised as machine-interpretable entities that can be queried, validated, and deployment-specifically configured through semantic reasoning and SPARQL-based analysis. The methodology is validated through a detailed case study of an AI-powered espionage detection system, demonstrating how context-aware semantic reasoning and SHACL-based validation can ensure that regulatory requirements are consistently specified and mapped to concrete system components. The proposed framework advances the state of the art by providing a rigorous, extensible foundation for compliance-by-design and automated analysis, thereby reducing compliance risk and supporting responsible AI engineering in complex omni-use regulatory environments.