diff --git a/apis/v1beta1/vsphereclusteridentity_types.go b/apis/v1beta1/vsphereclusteridentity_types.go
index 6195b948e3..c215875314 100644
--- a/apis/v1beta1/vsphereclusteridentity_types.go
+++ b/apis/v1beta1/vsphereclusteridentity_types.go
@@ -23,7 +23,8 @@ import (
 )
 
 const (
-	SecretIdentitySetFinalizer = "vspherecluster/infrastructure.cluster.x-k8s.io"
+	SecretIdentitySetFinalizer      = "vspherecluster/infrastructure.cluster.x-k8s.io"
+	VSphereClusterIdentityFinalizer = "vsphereclusteridentity/infrastructure.cluster.x-k8s.io"
 )
 
 type VSphereClusterIdentitySpec struct {
diff --git a/controllers/vsphereclusteridentity_controller.go b/controllers/vsphereclusteridentity_controller.go
index 136224296b..1f78708b8a 100644
--- a/controllers/vsphereclusteridentity_controller.go
+++ b/controllers/vsphereclusteridentity_controller.go
@@ -119,6 +119,12 @@ func (r clusterIdentityReconciler) Reconcile(ctx _context.Context, req reconcile
 		return ctrl.Result{}, r.reconcileDelete(ctx, identity)
 	}
 
+	// Add a finalizer and requeue to ensure that the secret is deleted when the identity is deleted.
+	if !ctrlutil.ContainsFinalizer(identity, infrav1.VSphereClusterIdentityFinalizer) {
+		ctrlutil.AddFinalizer(identity, infrav1.VSphereClusterIdentityFinalizer)
+		return reconcile.Result{}, nil
+	}
+
 	// fetch secret
 	secret := &corev1.Secret{}
 	secretKey := client.ObjectKey{
@@ -171,6 +177,8 @@ func (r clusterIdentityReconciler) reconcileDelete(ctx _context.Context, identit
 	err := r.Client.Get(ctx, secretKey, secret)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
+			// The secret no longer exists. Remove the finalizer from the VSphereClusterIdentity.
+			ctrlutil.RemoveFinalizer(identity, infrav1.VSphereClusterIdentityFinalizer)
 			return nil
 		}
 		return err
@@ -185,5 +193,10 @@ func (r clusterIdentityReconciler) reconcileDelete(ctx _context.Context, identit
 	if err := r.Client.Update(ctx, secret); err != nil {
 		return err
 	}
-	return r.Client.Delete(ctx, secret)
+	if err := r.Client.Delete(ctx, secret); err != nil {
+		return err
+	}
+	// Remove the finalizer from the identity as all cleanup is complete.
+	ctrlutil.RemoveFinalizer(identity, infrav1.VSphereClusterIdentityFinalizer)
+	return nil
 }