diff --git a/terraform/live/dev/env.hcl b/terraform/live/dev/env.hcl
index aba4038..346ec69 100644
--- a/terraform/live/dev/env.hcl
+++ b/terraform/live/dev/env.hcl
@@ -1,8 +1,11 @@
 locals {
-  environment   = "dev"
-  region        = "us-west-2"
-  cluster_name  = "eks-dev"
-  account_id    = "REPLACE_WITH_DEV_ACCOUNT_ID"
+  environment  = "dev"
+  region       = "us-west-2"
+  cluster_name = "eks-dev"
+  # account_id resolves at parse time from AWS_ACCOUNT_ID — it names the state
+  # bucket in root.hcl before any AWS call, so it can't arrive as a TF_VAR_. The
+  # orchestrator sets it; for a manual run, export AWS_ACCOUNT_ID in the shell.
+  account_id    = get_env("AWS_ACCOUNT_ID")
   cost_center   = "engineering"
   business_unit = "platform"
 }
diff --git a/terraform/live/production/env.hcl b/terraform/live/production/env.hcl
index 16413e8..2919e5c 100644
--- a/terraform/live/production/env.hcl
+++ b/terraform/live/production/env.hcl
@@ -5,14 +5,15 @@ locals {
   cost_center   = "engineering"
   business_unit = "platform"
 
-  # account_id is the only environment-identifying value that has to live
-  # in git: terragrunt's `remote_state.config.bucket` evaluates this at
-  # parse time, so the backend bucket name needs it before any AWS API
-  # is reachable. All other infrastructure identifiers (OIDC issuer,
+  # account_id resolves at parse time from the AWS_ACCOUNT_ID environment
+  # variable: terragrunt's `remote_state.config.bucket` embeds it and is
+  # evaluated before any AWS API is reachable, so it can't arrive as a
+  # `TF_VAR_` (those reach the leaf module, not the backend config) — and it
+  # stays out of git. All other infrastructure identifiers (OIDC issuer,
   # VPC/subnet IDs, KMS key ARN, route tables, security group, Karpenter
   # node-role name) come in as `TF_VAR_*` from the orchestrator (portal
   # workspace variables for the production deploy). Leaves declare the
-  # variables in `variables.tf`; if a leaf is run outside portal, set the
-  # corresponding TF_VAR_ in the shell.
-  account_id = "351619759866"
+  # variables in `variables.tf`. The orchestrator sets AWS_ACCOUNT_ID; if a
+  # leaf is run outside portal, export AWS_ACCOUNT_ID (and the TF_VAR_s) first.
+  account_id = get_env("AWS_ACCOUNT_ID")
 }
diff --git a/terraform/live/staging/env.hcl b/terraform/live/staging/env.hcl
index 9c9e3ef..506c936 100644
--- a/terraform/live/staging/env.hcl
+++ b/terraform/live/staging/env.hcl
@@ -1,8 +1,11 @@
 locals {
-  environment   = "staging"
-  region        = "us-west-2"
-  cluster_name  = "eks-staging"
-  account_id    = "REPLACE_WITH_STAGING_ACCOUNT_ID"
+  environment  = "staging"
+  region       = "us-west-2"
+  cluster_name = "eks-staging"
+  # account_id resolves at parse time from AWS_ACCOUNT_ID — it names the state
+  # bucket in root.hcl before any AWS call, so it can't arrive as a TF_VAR_. The
+  # orchestrator sets it; for a manual run, export AWS_ACCOUNT_ID in the shell.
+  account_id    = get_env("AWS_ACCOUNT_ID")
   cost_center   = "engineering"
   business_unit = "platform"
 }