Phil Wainewright over at Loosely Coupled published a good blog entry on governance. This is a refreshing view of a topic that many people have been (wrongly) thinking of as purely a design time issue.
To drive Phil's point home: If your runtime environment ends up out of compliance with Sarbanes-Oxley you don't get any points for following your design time governance rules to the letter: you still go to jail.
And, as Phil also correctly points out, the cost of maintaining compliance over time can be overwhelming if you don't have the right tools for SOA governance.
Regulatory requirements that impact SOA come from all over the place. The European Union, for example, has requirements that all personal identities are encrypted. Or, if you do business with Visa (for example, you are a retailer), there are very specific requirements about how you process the transaction and credit card data.