Scope creep occurs when pen testers encounter systems or opportunities outside the authorized scope — they MUST stop immediately and get written authorization updated before proceeding.
"But it was an open door" is not a defense. Unauthorized testing, even accidental, is illegal. If you discover an adjacent system while testing authorized targets: document the finding (you may have found additional attack surface), stop testing the out-of-scope system, notify the client and request scope expansion if appropriate.