The client seems to think that spamming is as easy on this desktop AIR widget as it is on a web form.
Your client is off a bit. It's possible that it's even easier in the AIR application than it is on a web form. Reasoning: AIR applications do not protect their source. Depending on how you built your application a malicious user can alter the application directly before running it. At least you're using Flex (which can be pretty protected), on the js side we're hosed without obfuscation and decent obfuscation in JS requires eval which is not allowed by the AIR runtime. (All we really have is minor obfuscation and removal of white space, which is no protection at all.)
I'd consider a captcha a good idea personally if the client wants it. You could always detect how often the form in question is being submitted by the user and only ask for the captcha if it's within some arbitrary timeframe.
Edit: I just looked at the Flex captcha posted in the above reply and I'm not sure that style implementation is a good bet. If your application is submitting to a webservice then it's presence is pretty easily discoverable regardless what style AIR application you are implementing (URLRequest or other request will easily show up when monitoring HTTP traffic.) If your application / service is popular and you are worried about spam, request a captcha image from the server itself and validate against it. That will ensure that the server is secure and what your application does will matter little.
(just my 2cents)