You'd think that, but, as someone who did a phyiscal pentest on a prison recently, that's 1000% not the case.
You can set up your access controllers for anti-passback, but, most folks don't, because companies don't want to pay the costs associated for an 'in' reader and and 'out' reader and implement that level of security.
Well, the costs for the 'in' and 'out' reader are really not the major issue for most companies, as you could conceivably set a particular perimeter that cordons of 'secure' from 'not secure' and would only have to configure anti-passback for that perimeter. The real trick (and therefore problem) is in making sure that people do not walk through doors together, that is, making sure that only a single person passes the perimeter for a single access request. Single-person passages are way more costly than the readers, and have the additional problem of not allowing all that many people to pass per hour. That means that you may even need multiple for a given people flow. And that's leaving aside the convenience issues.
You can set up your access controllers for anti-passback, but, most folks don't, because companies don't want to pay the costs associated for an 'in' reader and and 'out' reader and implement that level of security.