I agree with Patrick on the legal aspects.
If you want to do geolocation it still better to have a separate url. Check this link: https://support.google.com/webmasters/answer/6144055?hl=en - the red box on the page indicates clearly:
"IMPORTANT: We continue to support and recommend using separate locale URL configurations and annotating them with rel=alternate hreflang annotations."
It continues with: "If your website has pages that return different content based on the perceived country or preferred language of the visitor (i.e., you have locale-adaptive pages), Google might not crawl, index, or rank all of your locale-adaptive content. This is because the default IP addresses of the Googlebot crawler appear to be based in the USA. In addition, the crawler sends HTTP requests without setting Accept-Language
in the request header."
While the article also states that Google bot can also use foreign IP adresses, so it would be capable to detect the non-us version of the content, based on the remarks above it doesn't guarantee that the full site will be indexed.
To be honest, I don't think this is a risk your client is willing to take (unless non-us sales are not important)
The hreflang would be useless in this case - as you don't have an alternate url in this scenario.
My advice would be to use geolocation but to redirect non us visitors to an international url (like the alternative you mentioned). You could block access to this site for US visitors but then you create the same dependency of the non-US based Googlebots - which doesn't seem to be advisable). In this scenario you do have the risk that the suppliers would find out that an international version exist.
You might want to check this question as well (http://moz.com/community/q/personalization-software-and-seo)- the geo location in this case was on region/citylevel which is impossible to do.
Hope this helps,
Dirk