Regulations (I'm familiar with HIPAA/SOX/PCI) do not require specific technical implementations like this. These are just things that have been negotiated between IT and their auditor. Saying shitty IT policies are due to "regulation" is almost always a cop-out.
