This is something filled out by the security and devops team not by the ticket creator.
Also, best practice would be to have "No impact" require an explanation not just simply a two word brushoff.
Edit: Also at some point you have to trust your team, hire the right type of people, and embed it in the company culture that the analysis is something to be taken seriously. If leadership takes it seriously the people filling out the forms aren't going to brush it off.
The danger for these kinds of controls is that you're trained to say "no impact " many times (because there is none most of the time)