Right-Sizing Research Governance, or Why You're Handing Out Hazmat Certifications for Coffee Runs

Say "governance" in a room full of product folks and watch the energy leave. It's a word that carries baggage — compliance checklists, approval queues, processes that feel engineered to slow things down. And honestly, that reputation isn't entirely without reason.

But the problem isn't governance itself. It's that governance too often gets applied with a broad brush — blanket requirements that don't account for what people are actually trying to do, who they are, or what they need to get there. The result is friction where there should be flow.

Governance doesn't have to be a wall. When it's done well, it should feel more like a road — clear lanes, sensible signage, and a design that helps people get where they're going without ending up somewhere they shouldn't be.

Governance doesn't have to be a wall. When it's done well, it should feel more like a road

Start With Understanding, Not Restriction

When I think about governance, I don't think about restriction. I think about understanding. Before you can design any system of access or oversight, you need to understand your terrain:

• What are your research assets?
• Who are the people interacting with them?
• What are they trying to accomplish, and what does success look like for them?

That last question is the one that gets skipped most often, and it's the most important one. Because once you understand what someone is actually trying to do, you can start to see that the path they need might be a lot simpler than the one you've been building for them. A product manager who wants to validate a prototype doesn't need the same access, tooling, or training as a researcher conducting a longitudinal diary study with sensitive participant data. They have different goals, different risk profiles, and different needs — so why would we hand them the same set of keys?

This is where Research Operations becomes a strategic function. Managing tools and coordinating participant recruitment have historically been core parts of the role — and they still are in many organizations, especially those in the earlier stages of building out their research practice. But as teams grow, as research becomes more distributed, and as the demands on product organizations evolve, the strategic dimension of Research Ops becomes harder to ignore. Designing systems that connect the right people with the right level of access to do meaningful work — that's governance. And when you frame it that way, it stops being about "no" and starts being about "here's how."

The Licensure Model

So what does that look like in practice? I've found it helpful to think about governance through a system most of us are familiar with: the driver's license.

Nobody is born with a driver's license. You start with a learner's permit — a limited set of privileges that lets you get behind the wheel under specific conditions, with a licensed driver sitting next to you. You go through driver's ed. You pass your tests. And then you get your full license, which grants you the ability to drive a certain type of vehicle up to a certain weight. If your goals demand more — say, driving a commercial vehicle — there's an additional set of training and evaluations to get that endorsement. And if you need to haul hazardous materials on top of that, there's yet another layer of entitlements and approvals.

Research governance can work the same way. Not as a single gate that's either open or closed, but as a progressive system where access is matched to need. The question isn't "should this person be allowed to do research?" It's "what kind of research are they trying to do, and what do they need to do it well?"

The Tiers in Practice

Here's how I think about the tiers:

Walking and public transit. In many cities, this is the most efficient way to get around — it's not a lesser option, it's just a different means of conveyance. But even taking the subway requires some orientation: nobody inherently knows how to read a transit map. Good signage matters. In research terms, this looks like consuming existing insights: reading reports in a repository, watching highlight reels, attending readouts. The barrier to entry is low, but it's not zero — people still need to know where to look and how to make sense of what they find. For a lot of people in a product organization, this is exactly what they need. Not everyone needs to generate new research to make better decisions — sometimes the insight already exists, and the real gap is making it findable and understandable.

The learner's permit. This is someone running their first research activity — maybe an unmoderated usability test using a template your team has already built. They have access to the tools, but they're not flying solo. The guardrails here don't always come in the form of a researcher sitting next to them — and often they shouldn't, because that's not the highest-value use of a researcher's time. Instead, the co-pilot might be the system itself: templates that enforce best practices, educational resources that are easy to find when you need them, office hours for when you get stuck. The goal is to build confidence and competence without creating a bottleneck.

A full license. This is independent evaluative work. This person has demonstrated competence through that supervised period. They understand the tools, the ethical considerations, the data handling requirements. They can run a usability study or a survey without someone looking over their shoulder, because they've already proven they know the road.

Specialized endorsements. In research terms, this is generative work with sensitive populations, studies involving protected health information, or research that carries meaningful legal or reputational risk. This is where additional training, tighter oversight, and explicit approvals are not just appropriate but necessary. Not everyone needs to get here, and that's by design.

Right-Sizing the Access

There's a temptation when building a governance program to focus all your energy on the progression — how do we move people from one tier to the next? But the most important insight I've come back to again and again is that not everyone needs to move up. Not everyone needs to drive.

If your goal is to meet someone across town for coffee, you don't need a hazmat certification and an 18-wheeler to get there — you may not even need a car. You could walk, take the subway, maybe ride a bike. The same logic applies to research. A product manager who needs to understand whether a flow is confusing doesn't need to be trained on IRB protocols and PII handling procedures. They need a well-scoped unmoderated test with a solid template (with safety guardrails built in) and clear guidance on what to do with the results. Giving them more than that isn't generous — it's a burden. It adds cognitive overhead that gets in the way of what they're actually trying to accomplish.

Right-sizing access is a service, not a limitation. When you help someone see that the subway gets them where they need to go faster than learning to drive, you're not restricting them — you're respecting their time and keeping them focused on their actual goal. And from an operational standpoint, it reduces the burden on the people managing the system. Fewer licenses to track, fewer tools to provision, fewer edge cases to troubleshoot. Everybody benefits.

Right-sizing access is a service, not a limitation.

This is what strategic Research Operations looks like. Not gatekeeping, not just logistics — but designing systems that help the right people do the right work in the right way. The licensure model isn't about control. It's about clarity — for the people doing the work, the people supporting them, and the organization that depends on what comes out the other end.

If you're thinking about governance in your own organization, start where I always recommend starting: with an audit. Understand your assets, understand your people, understand what they're trying to do. The framework you build from there won't look exactly like mine — it shouldn't. But the principle holds: match the access to the need, and stop handing out hazmat certifications for coffee runs.

This article draws from a conversation I had with Rally UXR as part of their AMA series, where I discussed the licensure model and other governance frameworks in depth. You can watch the full discussion here.