Today, Internet of Things (IoT) technology is being increasingly popular which is applied in a wide range of industry sectors such as healthcare, transportation and some critical infrastructures. With the widespread applications of IoT technology, people's lives have changed dramatically. Due to its capabilities of sensitive data-aware, information collection, communication and processing, it raises security and privacy concerns. Moreover, a malicious attacker may impersonate a legitimate user, which may cause security threat and violation privacy. In allusion to the above problems, we propose a novel and lightweight anonymous authentication and key agreement scheme for heterogeneous IoT, which is innovatively designed to shift between the public key infrastructure (PKI) and certificateless cryptography (CLC) environment. The proposed scheme not only achieves secure communication among the legal authorized users, but also possesses more attributes with user anonymity, non-repudiation and key agreement fairness. Through the security analysis, it is proved that the proposed scheme can resist replay attacks and denial of service (DOS) attacks. Finally, the performance evaluation demonstrates that our scheme is more lightweight and innovative.