diff --git a/client/allocrunner/taskrunner/identity_hook.go b/client/allocrunner/taskrunner/identity_hook.go
index f318b89b22be..cbbfa6ffda44 100644
--- a/client/allocrunner/taskrunner/identity_hook.go
+++ b/client/allocrunner/taskrunner/identity_hook.go
@@ -36,7 +36,9 @@ func (h *identityHook) Prestart(ctx context.Context, req *interfaces.TaskPrestar
 	defer h.lock.Unlock()
 
 	token := h.tr.alloc.SignedIdentities[h.taskName]
-	h.tr.setNomadToken(token)
+	if token != "" {
+		h.tr.setNomadToken(token)
+	}
 	return nil
 }
 
@@ -45,6 +47,8 @@ func (h *identityHook) Update(_ context.Context, req *interfaces.TaskUpdateReque
 	defer h.lock.Unlock()
 
 	token := h.tr.alloc.SignedIdentities[h.taskName]
-	h.tr.setNomadToken(token)
+	if token != "" {
+		h.tr.setNomadToken(token)
+	}
 	return nil
 }
diff --git a/client/allocrunner/taskrunner/task_runner.go b/client/allocrunner/taskrunner/task_runner.go
index 6f8e45c04e7c..12f1abf26be7 100644
--- a/client/allocrunner/taskrunner/task_runner.go
+++ b/client/allocrunner/taskrunner/task_runner.go
@@ -424,6 +424,10 @@ func NewTaskRunner(config *Config) (*TaskRunner, error) {
 		return nil, err
 	}
 
+	// Use the client secret only as the initial value; the identity hook will
+	// update this with a workload identity if one is available
+	tr.setNomadToken(config.ClientConfig.Node.SecretID)
+
 	// Initialize the runners hooks. Must come after initDriver so hooks
 	// can use tr.driverCapabilities
 	tr.initHooks()