Every research team runs into the same challenge: how to move fast without putting participant data at risk or getting tangled in compliance red tape. It’s a balancing act that only gets harder as teams grow, tools multiply, and governance becomes everyone’s job. 

At Gather & Growth 2025 in New York City, that challenge took the spotlight in a live panel featuring three leaders who’ve been in the trenches of scaling Research Operations:

👋 Michelle Bejian Lotia, Staff UX Researcher at Ramp, supports a decentralized research model across product and design. With 20+ years in UX, she’s built lasting systems for recruitment, governance, and insights sharing at companies like Trainline, Dapier, and Asana.

👋 Niu Chen, Research Operations Program Manager at Block, focuses on automation and AI within Research Ops. With roots in human-computer interaction and trauma-informed design, they bring a thoughtful, systems-level approach to scaling research safely and sustainably.

👋 Katie Hansen, Senior UX Research Manager at Thumbtack, leads a team focused on improving the experience for both homeowners and professionals. With a PhD in social psychology, she’s all about turning user insights into smart, strategic decisions that move the business forward.

If you weren’t able to join us live, or just want a refresh on the insights shared, keep reading or watch the recording. 

Want more from Gather & Growth 2025? Check out our other panel recaps:

• Scaling democratized research
• Myths & hot takes on AI in UX Research
• Ops at scale: Lessons from Google

What motivated your teams to prioritize governance and compliance?

Niu: If my legal and compliance team is watching, we’ve always had them. 😉 But we used to be very product-siloed. Each product team had its own processes, and we ended up with five different consent forms for five different teams. Once we centralized, the challenge became figuring out what our unified workflow should look like. What’s our consent process? What’s our data deletion process? That was the pressure that pushed us to get organized.

Katie: When I joined Thumbtack about a year and a half ago, the team was doing the right things, but everything was informal and mostly spread by word of mouth. As the team grew, and especially as our quantitative research capabilities developed, that approach stopped scaling. We needed more formal processes. I came from Meta, where compliance and process are deeply formalized, so I’ve been helping the Thumbtack team find the right amount of structure for a smaller, faster-moving group.

Michelle: At Ramp, we have a decentralized research model. There’s a small core research team and a product operations group, but more than 40 people across the company conduct research. When I joined and did a listening tour, what I heard again and again was, “We have the tools, but not the time.” People had the right tools, but everything was fragmented and manual. So we focused on time savings as our entry point. We’re introducing proper governance and compliance practices by showing how they can save time and make people’s work easier. If governance existed before, it was scattered, so we’re pulling it together gradually and framing it as a benefit, not a burden.

How do you scale research while keeping governance and compliance in place?

Michelle: For us, it’s really about how we can “sneak in the broccoli” for people who don’t naturally want to eat their vegetables. Our strategy is to save people time and introduce governance along the way. For example, we might say, “We can take recruitment off your plate. You just source your participants, and we’ll handle the rest.” Then we add, “By the way, they’ll need to sign a consent form,” or “You can’t reach out to that participant without checking with the account manager, because they’re a large company.”

“How we can ‘sneak in the broccoli’ for people who don’t naturally want to eat their vegetables. Our strategy is to save people time and introduce governance along the way.”
– Michelle Bejian Lotia, Ramp

It’s about weaving those requirements in so that people can keep moving and see the value exchange clearly. From their point of view, UXR is saving them time and helping them get their work done. Meanwhile, in the background, we’re improving compliance and doing better by our participants and customers than before.

Katie: A big step for us was investing in a tool, which for us is Rally. Instead of having individual data scientists pull lists for every study and scrub them manually for opt-outs, we’re integrating with BigQuery so researchers can do that themselves. And instead of going through marketing operations to send out email surveys, which used to add about two weeks to every project, we’ll be able to maintain our own research-specific cooldown and send surveys directly. That saves time for researchers and for the other teams we depend on.

Niu: It’s difficult no matter what kind of company you’re in, because you have to get so many people involved: legal, vendor procurement, security, and now even AI. That’s why having a strong Research Ops team is so valuable. These are the people who build long-term relationships with those stakeholders. If you’re a researcher trying to scale research on top of everything else, it’s a big challenge.

Having the right tools helps a lot with workflows like consent forms. I also think it’s important to talk about the benefits, such as how a consent form can actually build trust with participants by explaining how their data will be used, where it will be stored, and how long you’ll keep it. Those conversations help create a shared understanding across the team.

Can you share a moment when a lack of guardrails caused a problem or risk?

Niu: A few years ago, I volunteered as a UX researcher for a mental health startup. It was a really sensitive space, because we were dealing with personal health information. We had a screener survey that asked participants to fill out questions about their mental health history so we could identify who to interview.

Someone changed the sharing permissions so that anyone with the link could see all the responses. That meant people’s personally identifiable information and medical history were exposed. When I found out, it was a big “oh no” moment. Everything that could go wrong had gone wrong: privacy, security, compliance, ownership. It was a wake-up call about why guardrails and governance are so important.

Fortunately, the screener had been getting spammed by bots, which made most of the data unusable anyway, so the real participant information wasn’t as visible as it could have been. Still, it was a huge lesson in how serious data safety needs to be, especially in sensitive research areas like mental health.

Katie: Mine was more of an “oops” moment than an “oh no” one. We’ve historically used Qualtrics for surveys, and we have clear documentation for that process, including having legal review every study. About a year ago, we started using Sprig for in-product surveys, but we hadn’t yet built out a formal process or checklist for that tool.

A new researcher was about to launch a survey, and I asked, “You sent this to legal, right?” They had no idea that step was required. Thankfully, it got approved before launch, but it made us realize we needed a better system. We’re now creating a legal-approved survey question library so legal only needs to review new or custom questions, rather than every single survey from scratch. It saves everyone time and reduces the chance of something slipping through the cracks.

“Some battles you just can’t win. You can explain the standards, the legal requirements, and the fact that we’d likely run into issues with things like consent – but sometimes, people have to learn those lessons themselves.”
– Michelle Bejian Lotia, Ramp

Michelle: I haven’t been at Ramp long enough to have any major stories yet, but I can share one from earlier in my career. I was working on a digital train ticketing product in the UK and EU, and the team wanted to get closer to our customers who were train travelers. Someone suggested going on trains with a camera and interviewing passengers in real time.

And this idea came from executives. Some battles you just can’t win. You can explain the standards, the legal requirements, and the fact that we’d likely run into issues with things like consent or even local authorities – like the French rail police. But sometimes, people have to learn those lessons themselves. It taught me that governance isn’t just about rules; it’s about education and helping people understand why those guardrails exist.

When you join a new company, how do you figure out the current state of compliance and make an impact?

Katie: We’re actually doing this right now. The first step was to gather everything that already existed, such as documentation, policies, and templates, and see what was outdated or missing. Then we prioritized the gaps. Now we have a working group focused mostly on survey research, since that’s where we found the most inconsistency.

“If you’re a team of one and don’t have a group to divide things up, I’d say make a prioritized list yourself. Start with the biggest gaps or the highest-impact areas.”
–Katie Hansen, Thumbtack

If you’re a team of one and don’t have a group to divide things up, I’d say make a prioritized list yourself. Start with the biggest gaps or the highest-impact areas. Once you start making progress, it really builds momentum and becomes easier to get others involved.

Niu: I like to use a simple matrix of risk and urgency, from high-risk and high-urgency down to low-risk and low-urgency. Think about what could actually block you from doing research. For example, what legal or privacy issues might prevent you from sending an onboarding survey? That’s how I decide what to tackle first. Some issues are hard blockers that stop research completely, while others are soft blockers that just slow you down.

How do you know whether something is a hard blocker or a soft one?

Niu: You really have to understand the laws and regulations where you’re operating, such as GDPR or other data and privacy laws in different regions. If doing something would be illegal, that’s a hard blocker. That’s a clear reason to push back with confidence. But if it’s something like, “We should have a more polished consent form,” that’s an improvement opportunity. It’s not going to stop you from doing research, but it’s something you can refine over time. There’s a difference between what’s required by law and what’s just good practice.

Michelle: When I join a new company, I start by meeting people where they are. Most people think they’re already doing things the right way, and they usually mean well. They just might not know what’s actually required. I try to assume positive intent and offer guidance in a way that doesn’t slow anyone down.

I also pay attention to what stakeholders already care about. Sometimes they’re focused more on governance than compliance, such as making sure we’re not reaching out to VIP customers or conflicting with account managers. If you can align with what matters to them while also checking the boxes that matter for research, everyone wins.

How do you build relationships with sales and account management teams while staying compliant?

Michelle: For us, it was actually pretty straightforward once we realized where the confusion was. No one knew when account managers needed to be consulted before contacting customers. Some researchers always asked by default, which annoyed the account managers, while others never asked at all, which created risk.

“We have programmatic governance rules so everyone understands exactly when approval is required. It saves time for researchers and shows the account teams that we respect their workload and their relationships with customers.”
– Michelle Bejian Lotia, Ramp

We worked together to define clear thresholds for when it’s necessary and when it’s not. Now we have programmatic governance rules so everyone understands exactly when approval is required. It saves time for researchers and shows the account teams that we respect their workload and their relationships with customers.

Katie: At Thumbtack, researchers can reach out directly to customers and service professionals without going through an account manager. That said, we’re increasingly working with partners and our partnerships team, and that space has been a lot more ambiguous. Honestly, we’ve been figuring it out as we go, so hearing how others approach this is really helpful.

Niu: It’s a similar situation for us. We don’t have a strict policy either, but we focus on aligning incentives. Account managers usually handle VIP or high-volume customers, so we want to make sure our interests are aligned. Sometimes it’s actually empowering for them to get time with a researcher. It gives them the chance to share what they’re hearing from the field and to feel heard.

We frame it as an opportunity to collaborate rather than a favor. It also helps to start from the top with the head of account management and work downward from there. It’s still a very manual process, but it’s effective and builds stronger relationships over time.

Beyond “don’t break the law,” do you have personal rules or guidelines for ethical research?

Katie: Don’t over-contact your users. Give them breathing room and be respectful about how often you reach out. The goal is to learn from them, not to annoy them. Find that balance where you’re staying connected but not overwhelming people with requests.

Michelle: Be respectful of people’s time and help them understand why it matters to talk to you. Especially in B2B contexts, I always include a note explaining why we reached out to that specific person. For example, “You’ve done this particular thing,” or “You’re working on something we’d love to learn more about.” It helps them see that it isn’t a random ask. It shows genuine interest in their experience and makes participants feel seen and valued.

“Always give participants the option to opt out at any point and still get paid if they do. That’s something I brought with me from academia.”
–Niu Chen, Block

Niu: Always give participants the option to opt out at any point and still get paid if they do. That’s something I brought with me from academia. There’s always a power dynamic between researchers and participants, even if it’s subtle. Letting people stop whenever they want, without penalty, is the more ethical approach, even when it’s not a legal requirement.

When legal or risk stakeholders push back with a “no,” how do you tell if it’s a real blocker or just a misunderstanding?

Katie: When I first reached out to our legal and privacy team at Thumbtack, they were thrilled that we wanted to collaborate. I suggested that we define specific topics that would trigger a legal review for surveys and let everything else move forward freely. They told me they had been reviewing every single questionnaire, which was creating a bottleneck.

We found a middle ground by creating a legal-approved survey question library. Legal reviews and approves the question bank once, and if anyone wants to ask something new, that single question gets flagged for review. It’s about understanding what they’re trying to achieve and finding a way to meet in the middle so both sides feel comfortable.

Michelle: It really helps to take a step back and explain what kind of data is normal and necessary to collect in research. For example, if you’re doing remote UXR, there will be video data, and that usually includes some personal information. There’s no way around that, but you can explain how access is limited, who can see it, and how it’s secured. Anticipating those concerns before they bring them up builds trust, because it shows you’ve already thought through the risks.

“If you’re blocked from reaching your own users, look for creative alternatives. The key is to adapt to your organization’s environment rather than fighting against it.”
– Niu Chen, Block

Niu: A lot of this comes down to company culture and industry. In sectors like banking, healthcare, or education, the rules are naturally more restrictive. In other industries, there’s more flexibility. If you’re blocked from reaching your own users, look for creative alternatives. Maybe you can talk to similar types of users, analyze customer support data, or work with anonymized or secondary data. The key is to adapt to your organization’s environment rather than fighting against it.

How do you get buy-in from customer success or sales teams to reach out to users without overstepping?

Michelle: We found success by agreeing on clear thresholds. For example, we defined which customers or company sizes require explicit approval and which ones don’t. Once that was established, we could reach out freely to everyone else without creating tension.

It’s really about being proactive. Go to those teams first with a clear proposal and say, “Here’s how we’d like to handle this. Would this work for you?” That kind of collaboration builds trust and prevents issues later on. It shows that you respect their relationships with customers while also protecting the research process.

Niu: If direct outreach is limited, there are still plenty of ways to gather insights. Customer support and sales teams already have valuable information, like call transcripts, chat records, and customer feedback logs. Tools such as Gong make it easy to analyze those interactions.

And with AI, there’s even more opportunity for what I’d call “ambient analysis,” where you can detect patterns or themes from existing conversations without needing to schedule new research sessions. Even if you can’t reach out directly to customers, you can still learn a lot from the data and interactions your company already has.

How do you handle transparency about AI use in research? Do you disclose it to participants?

Michelle: Yes, we have explicitly built that into our consent forms. We tell participants which tools are being used to process their data, and we specifically list any AI tools. That way, everything is clear and transparent from the start, and participants know exactly what is happening with their information.

Niu: In our case, it has not come from legal yet. It is something the research team is driving. We want to stay ahead of it because AI is already deeply embedded in our products, and much of our research focuses on those features. Since those features are powered by customer data, everything is connected. We are trying to make sure participants understand that relationship early on so there is no confusion about how their data might be involved.

How do you balance storytelling, such as using quotes, video, names, or job roles, while protecting participants’ privacy?

Katie: It really comes down to alignment with your legal team. Whatever you plan to do, make sure your consent form states it clearly, and then follow it exactly. That is the simplest and most reliable rule.

“Whatever you plan to do, make sure your consent form states it clearly, and then follow it exactly. That is the simplest and most reliable rule.”
– Katie Hansen, Thumbtack

Michelle: I have seen different standards depending on the context. In B2B settings, it is often about specific customers and their real identities, so naming can be more acceptable. In B2C environments, where you are dealing with individuals outside of their professional roles, anonymity becomes much more important. It really depends on the nature of the relationship and what participants expect when they agree to take part.

Niu: It also depends on how sensitive the topic is. It is important to remember that a consent form, an NDA, and a marketing release are all different documents. Each one serves a different purpose. Whatever participants sign should match exactly how you plan to use their data, nothing more and nothing less.

What are your hopes and dreams for Rally, especially around governance and compliance?

Michelle: I’m really excited about Rally’s API and how it connects to other systems. The more I use Rally, the more I realize how powerful it is. I keep discovering new things it can do, and it makes me want to pull more data in and out of it. I’d love for Rally to become a true source of truth for UXR across all our tools.

I would love to see an account manager approval workflow built directly into Rally. We already have rules that flag when outreach requires account manager approval. It would be amazing if we could change a status in Rally to “Requires AM approval,” automatically notify the right person, get their sign-off, and then include that participant once approval comes through.

Katie: I feel the same way. I’m very excited to integrate Rally with BigQuery so researchers can pull their own lists instead of depending on data scientists. I’d also love to have one research cooldown pool. Right now, we have separate cooldowns for Qualtrics, Sprig, and dscout. Having a single, unified pool would save so much time. And if Rally could integrate with Sprig, that would honestly make my dream come true.

“Being able to handle everything in one place will save both researchers and ops teams a huge amount of time and effort.”
–Niu Chen, Block

Niu: Our Research Ops team has a long list of hopes for Rally. We want it to eventually replace all of our qualitative recruitment, and maybe even quantitative research in the future. But even one small improvement, like moving all our consent forms into Rally, would make a big difference.

DocuSign wasn’t great for consent forms, and while Qualtrics works, it’s not really built for managing lists. Being able to handle everything in one place will save both researchers and ops teams a huge amount of time and effort.

‍

💜 Big thanks to Michelle, Niu, and Katie for keeping it real and sharing what it actually takes to balance speed, safety, and trust.

Their stories were a good reminder that governance isn’t red tape. It’s the groundwork for doing research that is fast, ethical, and built to last.