While it is certainly true that adopting SOA as a company wide architectural strategy can trsanform how IT resources are used by an organization without some form of governance, and crucially intergrated governance, organizations cannot hope to achieve the promised benefits.

A wiser man than me, in this case J Kobielius, chief analyst at Current Analysis recently stated that:

"SOA is a mess waiting to happen. By encouraging widespread reuse of scattered software components, SOA threatens to transform the enterprise network into a complex, sprawling, unmanagable mesh. Left ungoverened (theres that word again ed.), SOA could allow anoyone, anywhere to deploy a new service anytimne they wish, and anyone anywhere to invoke and orchestrate that service - and thousands of others - into ever more convoluted messaging patterns. In such an environment, coordinated application planning and optimization become fiendishly difficult. In addition, rougue services could spring up everywhere and pass themselves off as legitimate nodes, wreaking havoc on the delicate trust that underlies production SOA."

So it seems a rather poorly kept sectret that by and large SOA is a collection of too many fast moving parts. Without some king of control mechanism with integrated enforcement of corporate policies breaches are not just possible but likely. The reputation risk exposure alone has enormous implications to any enterprise.

Governance then, integrated with registry technology provides a control which should ideally span every stage of service lifecycle from the point at which teh service is deployed through any versioning in its lifetime to policies for everytime the service is consumed.

To take but a few examples:

once a service has been deployed into the registry, how do you address the fact that many different applications may wish to use that service with very different requirements e.g.
- application 1 needs a 12ms response
- application 2 needs 24 x 7 support
etc etc.

How do you readily understand any given services uptime, transaction capacity and responsiveness?

At the most basic level how to you enforce corporate standards and ensure no "junk" services enter your registry/repository?

In short you cannot have a successful enterprise wide implementation of SOA without good, software based governance. Only with this solution in place can you standardize the procesess that control how all of the stakeholders from IT through support to the business units themselves can maximize the benefits of SOA.

Without it James Kobielus' vision will come true and SOA will languish at the stage of an expensive mess of unregulated middleware.