The problem is that nothing can be "forced" into any TLD.
You don't even need turnstiles. DFW has quite a few exits that are normal "push-bar" doors, and they have some sort of motion detector that senses if someone starts to walk the wrong way and sounds an alarm. The alarm will also trigger if someone begins to walk out and then turns around to go back into the terminal past the "you must continue to exit" sign. They still post a guard, but presumably they will notice the alarm pretty quickly.
It's much faster than a turnstile (DFW does have those too) and seems to work pretty well.
And what do you do when it's the CEO that keeps calling up saying he wants to be able to connect to YouTube while he's on the VPN and it's too slow?
Forcing all traffic through the tunnel may be ideal, but in the Real World(tm) split tunneling is often the only option.
RTFA...this is exactly what the article says doesn't work well because it often produces completely boneheaded moves on the part of the AI.
You have mail.