During a rather nice meal in London with Miko Matsumura of Infravio the service governance people he highlighted one area of the coming SOA challenge that I hadn't really thought about. Namely the challenge of governance rules becoming applications in themselves. Its one of those things that become obvious when you follow the trail down to the end but its still a different way of thinking about SOA.
Basically the point is that while Service governance is simple policy (e.g. WS-Security) or about protocol then its all nice and simple. When it becomes about rules of governance, e.g. only people with authority X can update this service or even "these fraud validation rules must be done on each inbound transaction" then it ceases to become simply about policy and more about actual business logic and function.
So the question basically is, when does policy become business logic and what is the best way to define, build, deploy and manage a governance centric service? Is "Payment" the functional service and "Payment with fraud-detection" the enterprise service?