diff --git a/pkgs/clan-cli/clan_cli/facts/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/facts/secret_modules/sops.py
index 56c268474..071ef3c82 100644
--- a/pkgs/clan-cli/clan_cli/facts/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/facts/secret_modules/sops.py
@@ -28,6 +28,7 @@ class SecretStore(SecretStoreBase):
             sops_secrets_folder(self.machine.flake_dir)
             / f"{self.machine.name}-age.key",
             priv_key,
+            add_groups=self.machine.deployment["sops"]["defaultGroups"],
         )
         add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
 
diff --git a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
index 4e7b90602..b38a23750 100644
--- a/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
+++ b/pkgs/clan-cli/clan_cli/vars/secret_modules/sops.py
@@ -48,6 +48,7 @@ class SecretStore(SecretStoreBase):
             sops_secrets_folder(self.machine.flake_dir)
             / f"{self.machine.name}-age.key",
             priv_key,
+            add_groups=self.machine.deployment["sops"]["defaultGroups"],
         )
         add_machine(self.machine.flake_dir, self.machine.name, pub_key, False)
 
diff --git a/pkgs/clan-cli/tests/test_vars.py b/pkgs/clan-cli/tests/test_vars.py
index 5a7355acd..a9f36a978 100644
--- a/pkgs/clan-cli/tests/test_vars.py
+++ b/pkgs/clan-cli/tests/test_vars.py
@@ -159,6 +159,7 @@ def test_generate_secret_var_sops(
     )
 
 
+# TODO: it doesn't actually test if the group has access
 @pytest.mark.impure
 def test_generate_secret_var_sops_with_default_group(
     monkeypatch: pytest.MonkeyPatch,