diff --git a/controllers/vaultdynamicsecret_controller.go b/controllers/vaultdynamicsecret_controller.go
index 2472fb94..aafca26d 100644
--- a/controllers/vaultdynamicsecret_controller.go
+++ b/controllers/vaultdynamicsecret_controller.go
@@ -150,6 +150,15 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
 	o.Status.VaultClientMeta.CacheKey = clientCacheKey.String()
 	o.Status.VaultClientMeta.ID = vClient.ID()
 
+	if !o.Spec.AllowStaticCreds && o.Status.LastGeneration != o.GetGeneration() && o.Status.SecretLease.ID == "" {
+		logger.Info("short circuting sync, initial generation with empty lease")
+		o.Status.LastGeneration = o.GetGeneration()
+		if err := r.updateStatus(ctx, o); err != nil {
+			return ctrl.Result{}, err
+		}
+		return ctrl.Result{RequeueAfter: computeHorizonWithJitter(requeueDurationOnError)}, nil
+	}
+
 	var syncReason string
 	// doSync indicates that the controller should perform the secret sync,
 	switch {
@@ -179,6 +188,12 @@ func (r *VaultDynamicSecretReconciler) Reconcile(ctx context.Context, req ctrl.R
 	}
 
 	doSync := syncReason != ""
+	logger.Info("Reconciling",
+		"generation", o.GetGeneration(),
+		"lastGeneration", o.Status.LastGeneration,
+		"leaseID", o.Status.SecretLease.ID,
+		"doSync", doSync,
+	)
 	leaseID := o.Status.SecretLease.ID
 	if !doSync && r.runtimePodUID != "" && r.runtimePodUID != o.Status.LastRuntimePodUID {
 		// don't take part in the thundering herd on start up,
@@ -548,6 +563,12 @@ func (r *VaultDynamicSecretReconciler) awaitVaultSecretRotation(ctx context.Cont
 }
 
 func (r *VaultDynamicSecretReconciler) updateStatus(ctx context.Context, o *secretsv1beta1.VaultDynamicSecret) error {
+	logger := log.FromContext(ctx).WithName("updateStatus")
+	logger.Info("Updating status",
+		"settingLastGeneration", o.GetGeneration(),
+		"existingLastGeneration", o.Status.LastGeneration,
+	)
+
 	if r.runtimePodUID != "" {
 		o.Status.LastRuntimePodUID = r.runtimePodUID
 	}