Governance is one of the most important – and most misunderstood – aspects of scaling research. It’s not just about legal compliance. It’s about enabling access, protecting quality, and making sure your research efforts actually support business goals.

Jared Forney, ReOps Principal at Okta joined us for a Rally AMA on May 15 to break down the invisible systems behind research: the guardrails, workflows, and permissions that shape who gets to do what, how data is tracked, and how it rolls up to your company’s OKRs.

Missed the event? Or want to revisit the key takeaways? Read the full recap below or watch the live discussion here. 

Who is Jared?

I’m a Research Operations Principal at Okta. During my time here I have transitioned from a full-time researcher to building out the Research Operations function from the ground up, specializing in knowledge management, governance, and research workflows. I have also advocated for thoughtful AI enhancements that place researchers, stakeholders, and participants at the center of the insight-forming process. 

How did you get into Research Operations?

I’ve been at Okta now for just over eight years. It’s been quite a while. I’ve gone through three role transitions in my time here. To give you a sense of how much the company has changed, I started as a product designer and researcher hybrid.

After about two years, I moved into research full-time once we had enough design backfill. The company was a little over 1,000 people when I started, and we went public a month after I joined, which spurred a lot of organizational change.

As our research team grew, I noticed I was spending more time balancing day-to-day research with what I now know as Research Ops – admin work, participant logistics, tooling, all of it. And it got to a point where I realized I couldn’t do both jobs well at the same time.

I talked to my manager, and at that point, Research Ops was becoming more solidified as a field. Roles and frameworks were emerging. I thought, “I think there’s this new thing I want to try.”

Kudos to my manager at the time, Jane Johnson. She really encouraged me to take the leap. She supported me in standing up the new function. We co-wrote the job title and description, outlined the responsibilities, and I stepped into it.

That was about three years ago. Since then, I’ve had a lot of great opportunities to help scale our research function at Okta and learn from this community. It’s been quite a journey and with the advent of AI, I think the importance of Research Ops is only growing.

How do you define governance in the context of Research Operations?

Governance isn’t just about compliance. Compliance is one aspect but governance is really about building for scale. It’s about having the right processes and relationships in place to help research grow in an effective, efficient, safe, and compliant way.

It’s not always about putting up walls or barriers. It’s about ensuring people have the right tools and access to do their best work.

When did governance become a core theme in your work?

Being at Okta, a security company, governance is core to everything we do. One of our company’s core principles is getting the right people the right access at the right time. That mindset really influences how we approach things internally.

So even when I was a designer and researcher, I was already thinking about governance. Once I moved into Research Ops, it was a natural fit. But I didn’t know much about it at first. There weren’t many resources and I felt like I was paving my own road.

That uncertainty is what made me lean in. I started building relationships, asking questions, and diving in. That’s how I’ve gotten to where I am and now I’m able to share what I’ve learned.

What are some core governance practices you put in place early on?

Start with an audit. That’s my number one piece of advice. Every org is different and an audit helps you put a box around the infinite. You learn where your walls are.

When I started working with our legal and privacy teams, I learned they want the same things we do: to know where data is, where it sits, and who can access it. I had to document our tooling for procurement and security reviews but I realized I could take that further.

I created a visual map that showed how data flows through our research process from recruitment to analysis. That helped me keep tabs on everything, but more importantly, it helped me communicate with stakeholders. I could show legal or security folks how research works and how data moves.

That artifact alone built so much goodwill. It showed I’d done my homework and made conversations more productive.

How do you scale governance for self-serve or democratized research?

We’re deep in this right now. Our research team primarily focuses on exploratory, generative work. But we’re seeing growing demand for evaluative research, which is work that our design and product partners can often do with the right tools and support.

The key has been communication. And communication is really about change management.

You can’t just say something once – you need to repeat it in different formats. We write guides, share them in Slack, record walkthrough videos, and use AI to generate summaries of that content. We also reinforce best practices through templates and tooling.

Then we do post-support like lunch and learns, office hours, AMAs like this one. We meet people where they are and communicate in the format that works best for them. That’s how we’re rolling out this complex program.

What are the common pitfalls in rolling out governance programs?

One big lesson: don’t hold on too tightly. The tighter your grasp, the more things often slip through.

There will always be cracks in your process. People will find workarounds, intentionally or not, so don’t restrict too fast or too early. Be flexible. Paint bright lines where you need to but assume people want to do the right thing – they just might not know how yet.

If you come in with rigid assumptions, you miss out on opportunities to collaborate and learn from the people you’re enabling.

What’s your take on Research Ops merging with Product or Design Ops?

It’s a timely question, especially with layoffs and consolidations happening. Ops roles often feel like Swiss Army knives.

At Okta, we have separate Research, Design, and Product Ops roles. They’re embedded in different parts of the org. And I think each role has enough unique responsibilities that combining them could be overwhelming. You’d just be keeping the lights on, not moving anything forward.

So while consolidation might happen in smaller orgs, I really believe Research Ops deserves to be its own function. The scope is just too big to lump in with other ops roles.

How do you make governance approachable for stakeholders?

I use the DMV as an analogy. A driver’s license is a series of validations that give you a certain level of access like driving a car. You don’t start with a full license. You begin with a learner’s permit, then take a test, then maybe get certified to drive a truck or transport hazardous materials.

Governance works the same way. Not everyone needs to be certified for the most sensitive tasks. Some people just need to ride a bike or take the subway. And that’s okay.

Our goal isn’t to make everyone a hazmat driver. It’s to give people the access they need for their context, while keeping things safe, compliant, and efficient.

How do you handle people operating outside of governance guidelines?

Monitoring and enforcement is a team sport. I’m not the sole authority. I rely on relationships with legal, privacy, compliance, and security. People acting outside the guidelines happens. But I focus on what’s in my scope, which is primarily research and product.

When issues do come up, I work with our partners to educate. For example, we’re building out training around handling PII in research because democratization means more people might access sensitive data.

We already have corporate training but we’re tailoring it for research use cases. It’s all about education and shared responsibility.

How do you maintain governance in rapidly evolving areas like AI?

Things are changing fast. Even since we started using AI tools, the guidance around them has evolved – what data we can input, what use cases are approved, all of it. There’s always the risk of shadow IT or people using tools without guidance. That’s why we’ve taken a proactive approach.

I’ve helped author our AI principles, especially from a research perspective. Our team was early in using AI tooling that had pre-approved functionality so we were able to share our experience with others as the broader company framework developed. Being part of the conversation from the start has been key.

What governance concerns come up with a fragmented research stack?

Love this question. This is where things get really complex.

When you’re integrating multiple tools, legal and compliance teams care deeply about data subject requests like CCPA or GDPR. You need to know where that data lives across tools and be able to retrieve or delete it.

We’re starting to use tools like DataGrail to automate that process. That helps reduce the burden of manually checking every system and makes best-in-class tooling more viable.

Another challenge is seat access. Different tools have different pricing models. Some are seat-based, others consumption-based. Managing who has access, for how long, and at what level becomes a governance challenge too. We use things like SCIM and auto-provisioning to help manage this, but there’s still a lot of manual work involved.

How do you build and maintain trust when enforcing governance?

Trust is everything. No one wants to be the bad guy but sometimes you hit a hard no.

The key is communication and transparency. Telegraph changes early and often. If something is going to take time, tell people that. Update them. Even if it’s months later, come back and say, “I haven’t forgotten. Here’s where things stand.”

I recently dealt with a tool request that wasn’t in our stack and didn’t require procurement but still needed a security review. It took months to figure out. But I kept the requester updated, explained the process, and showed that I was advocating for them.

Sometimes the answer is still no but if you’ve explained the why, offered alternatives, and made a real effort, people appreciate it.

Also, anticipation and being proactive builds trust. I stay plugged into security and IT channels so I can get ahead of changes. When something rolls out, I already have a plan. That builds confidence in the team and lets researchers focus on their work.

Any final thoughts or advice?

Even though I’m here as the “governance expert,” I didn’t start that way. I’m still learning every day. You’re already an expert in your org. Start with what you know. That’s your foundation.

Reach out to people in legal, privacy, IT. Open the door before there’s a problem. Just say, “Here’s what we’re doing. I think you might care. What do you want to know?”

Those early conversations go a long way. They build relationships and trust. That’s the real secret to building governance. You don’t need a perfect plan, just a starting point and a willingness to collaborate.

Connect with Jared

If you enjoyed Jared’s AMA:

• Follow him on LinkedIn and say hello!
• Check out his writing on Medium.

Thank you, Jared!

Huge thank you to Jared for joining us for an AMA on one of the most essential (and often misunderstood) topics in research: governance. It was an incredibly thoughtful and engaging conversation. Jared’s work continues to raise the bar for what good Research Ops looks like, and we’re grateful to have had the chance to learn from him and the time, energy, and insight he shared with our community. If you’d like to watch the full AMA, follow this link.