That's called a White Hat Wake-up. You can do it tactfully.
Discussion
Not really. Yes they pay me for security and server hosting but without explicit pentesting permission I could get sued for something like that.
Yes you can. It's called a "real time demo". Make a fake employee to be the target, make fake documents that indicate typical data they would store (customer records, balance sheet, HR records, or whatever would be typical for their dept/industry), then hold a meeting where you demonstrate a compromise.
The resulting information should be 100% financial, showing how much they can lose, and how much they can spend to prevent the loss.