1. NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations.
Control CM-3, Configuration Change Control: This control explicitly requires organizations to "a. Determine the types of configuration changes that are to be controlled...; b. Approve or disapprove configuration change requests with explicit consideration for security and privacy impacts; [and] c. Document configuration change decisions associated with the system..." (Page 133).
Control CM-4, Security and Privacy Impact Analysis: This control is entirely dedicated to the concept negated in the question. It mandates that "The organization: a. Analyzes changes to the system to determine potential security and privacy impacts prior to change implementation; and b. Documents the security and privacy impact analysis." (Page 134).
2. NIST Special Publication (SP) 800-128, Guide for Security-Focused Configuration Management of Information Systems.
Section 2.2.3, Configuration Change Control: This section states, "Configuration change control is the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system... The process includes managing and controlling all changes to the system configuration... The configuration change control process also ensures that the security impact of any change is analyzed and documented." (Page 8). This directly refutes the premise of the question.
