diff --git a/internal/daemon/worker/auth_rotation_test.go b/internal/daemon/worker/auth_rotation_test.go
index 6e4d1ac13e..3f4deee90a 100644
--- a/internal/daemon/worker/auth_rotation_test.go
+++ b/internal/daemon/worker/auth_rotation_test.go
@@ -4,6 +4,8 @@
 package worker_test
 
 import (
+	"bytes"
+	"context"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -109,12 +111,23 @@ func TestRotationTicking(t *testing.T) {
 
 	// Now we wait and check that we see new values in the DB and different
 	// creds on the worker after each rotation period
-	for i := 2; i < 5; i++ {
+
+	// Make sure we have a failsafe in case the below loop never finds what it's
+	// looking for; at expiration the List will fail and we'll hit the Require,
+	// exiting
+	deadlineCtx, deadlineCtxCancel := context.WithTimeout(c.Context(), 10*time.Minute)
+	defer deadlineCtxCancel()
+
+	rotationCount := 2
+	for {
+		if rotationCount > 5 {
+			break
+		}
 		nextRotation := w.Worker().AuthRotationNextRotation.Load()
 		time.Sleep((*nextRotation).Sub(time.Now()) + 5*time.Second)
 
 		// Verify we see 2- after credentials have rotated, we should see current and previous
-		auths, err = workerAuthRepo.List(c.Context(), (*types.NodeInformation)(nil))
+		auths, err = workerAuthRepo.List(deadlineCtx, (*types.NodeInformation)(nil))
 		require.NoError(err)
 		assert.Len(auths, 2)
 
@@ -126,6 +139,11 @@ func TestRotationTicking(t *testing.T) {
 			nodeenrollment.WithStorageWrapper(w.Config().WorkerAuthStorageKms),
 		)
 		require.NoError(err)
+		if bytes.Equal(currKey, currNodeCreds.CertificatePublicKeyPkix) {
+			// Load due to parallel tests may mean that we didn't hit rotation
+			// yet, loop back to evaluate again
+			continue
+		}
 		assert.NotEqual(currKey, currNodeCreds.CertificatePublicKeyPkix)
 		currKey = currNodeCreds.CertificatePublicKeyPkix
 		currKeyId, err := nodeenrollment.KeyIdFromPkix(currNodeCreds.CertificatePublicKeyPkix)
@@ -155,5 +173,6 @@ func TestRotationTicking(t *testing.T) {
 		require.NotNil(w.Worker().GrpcClientConn)
 		require.NoError(w.Worker().GrpcClientConn.Close())
 		require.NoError(w.Worker().StartControllerConnections())
+		rotationCount++
 	}
 }
diff --git a/internal/tests/api/credentials/credentials_test.go b/internal/tests/api/credentials/credentials_test.go
index 5dd32040e3..397eeed2ee 100644
--- a/internal/tests/api/credentials/credentials_test.go
+++ b/internal/tests/api/credentials/credentials_test.go
@@ -468,7 +468,7 @@ func TestUpdateAfterKeyRotation(t *testing.T) {
 
 	// Update JSON credential, will re-encrypt with new key versions
 	obj["password"] = "password"
-	cred, err = credsClient.Update(ctx, cred.Item.Id, 1, credentials.WithJsonCredentialObject(obj))
+	_, err = credsClient.Update(ctx, cred.Item.Id, 1, credentials.WithJsonCredentialObject(obj))
 	require.NoError(err)
 
 	// Create new key versions again
@@ -500,7 +500,7 @@ func TestUpdateAfterKeyRotation(t *testing.T) {
 	for {
 		jobs, err := scopesClient.ListKeyVersionDestructionJobs(ctx, proj.PublicId)
 		require.NoError(err)
-		if len(jobs.Items) == 1 {
+		if len(jobs.Items) >= 1 {
 			break
 		}
 		select {