The ISO 13485 standard states that the need for validation of the process exists when the resulting output cannot be OR IS NOT verified by subsequent monitoring or measurement...
Software validation is a bit of a different beast. The standard cites a requirement for software validation in multiple places, including 4.1.6 (general requirement for software validation in support of the QMS), 7.5.6 (for software used in production and service provision), & 7.6 (software used in monitoring & measurement).
The standard allows (of course) a risk-based approach to software validation (commensurate with the risk).
I agree with others who indicated the CNC software should be validated. I don't disagree that doing a first article would support software validation but there's more to software validation than just "happy path" use. For example, is the software sufficiently controlled from unauthorized change? There may be other considerations specific to CNCs and potential (mis)use.
You should consider establishing a Validation Master Plan to drive your software validation efforts and establish your risk-based approach.