Across the globe and throughout industry, Information Technology governance, risk management and compliance practices (GRC) are becoming institutionalized. In the United States, however, the adoption of IT GRC in higher education remains low relative to its importance. This study looks for the underlying reasons as to why higher education IT GRC adoption is low, and proposes practices and policy changes that may improve GRC adoption. In this qualitative study, the researcher interviews CIOs, CISOs, other IT staff, and other university executives at five institutions in the University System of Georgia for their perspective on the underlying reasons for low IT GRC adoption. Findings indicate that there are organizational change factors involved, and that institutional isomorphism plays a role in IT GRC adoption.