I'm listing out IT Infra changes that require CR / change control ie subject to CAB.
1. OS, network device OS patching/update/upgrade
2. Installing or configuring a software/feature
3. Adding/deleting/amending an ACL or firewall rule for Production purpose
4. Configuring DB changes : to list out ...
5. Hardenings & OS changes (permission changes etc)
6. OS/device tunings (including migrating services behind WAF, ...)
7. changing account/object privileges
However, I think the following just require an SR/email:
a. blocking of IOCs (from threat Intels)
b. unlocking accounts/password resets
c. login to check/extract information (Cisco 'show run')
d. restarting / rebooting a service or OS due to fix a problem