Re: Wasn't "But we had to have SMB for our internal shares on the network" the NHS problem?
Unless your contract clearly states you are responsible for pen testing, you *need* to get written sign off before you do it. Or be the person who owns the kit. You usually have to write the letter yourself, and get the boss to sign it, since they won't care *unless* it goes horribly wrong.
And yes, it's a sensible and reasonable thing to do, but like anything where you're crossing a legal boundary for work, get it in writing. Then you have a clear defense if you get accused of computer crimes. Same as if you're repairing a machine, get the client to sign off on what is happening, so if you find dodgy stuff you won't get in trouble for illegally accessing it.
It's the difference between being a general worker who checks that a secure door is locked by trying the handle (which is OK), versus someone hired to do a security audit attempting to force the door open, attempting to pick the lock etc.